[SoftTalker]

> (1) kill passwords; (2) make things simple.

Two diametrically opposed things in my experience.

Not a comment on this product specifically, but I have not used any authentication mechanism that is simpler than passwords. A password flows from my fingertips with almost no context switch. For everything else, I have to stop what I'm doing, find my phone or some other device, unlock it, do something with that, put that away, while in the process waiting for various browser redirects and hoping none of them fail, and then return my attention to what I was doing (if I can remember).

Passwords are simple. Everything else is not, in comparison.

[klabb3]

> A password

Key word right here. A single password comes easy for me too, if I'm on desktop and not on my phone, console, or VR headset.

The problem is you need multiple passwords, on devices that have terrible typing experience.

Whether it's a password manager or a new public key auth standard matters less, what's important is that there's consensus on the APIs so we can get these products to end users.

[Grustaf]

I don't think the sentiment that "typing a password is easier to use than FaceID or TouchID" is very common.

[yshxysyyssy]

try to rotate your thumb prints more than 10 times or change your face after a data leak and then get back to us.

[Grustaf]

There are a billion iphone users and so far no touchid “data leak” has occurred as far as I know. Not even sure what it would mean, since your face/fingerprints are only stored on device.

But even if I had to setup touchid or faceid every year, hell every month, using it is still a whole lot more convenient (and probably safer) than typing in a password 10 times a day.

[tornadofart]

you have ten thumbs, that means 8.00000001 more than the average person, that's some high level of security there :D but you're right. I don't understand why face ID is supposed to be secure. Anyone can take and use a picture of you. Same with fingerprints. Some hackers from CCC in Germany detected Angela Merkel's fingerprint from a press photo a few years ago, just to show how easily it can be done. These auth methods all require an extra factor that proves that it's you, in front of the screen, and not someone else, which is then more tedious than entering a password.

[Grustaf]

FaceID uses a 3d camera, so a photo is not enough.

[tornadofart]

creating 3d data from a portrait photo is not that hard... nor is setting up a camera anywhere necessary, to get your face's 3d data. My point is, the "secrets" (your face, your thumb) are out there in the open, and there are a lot of creative ways to steal and store them, unbeknownst of the user. That's not good, if you ask me.

[WorldMaker]

A big difference in the threat model is attack surface:

1. Someone can steal or phish a password remotely from anywhere in the world (see: haveibeenpwned for plenty of known examples)

2. That same someone can make use of a stolen password in most websites and web applications remotely from anywhere in the world

3. Someone else can attempt through distributed brute force to crack a password from anywhere in the world as fast as a given web API will allow them

Versus:

1. Someone can capture your face data from a camera in your physical proximity

2. That someone can use your captured face data to gain access to specific devices only in physical proximity to those devices

3. There is no public API in iOS to try to brute force face data, much less remotely or in a distributed attack (and no currently known CVEs on Apple's Secure Enclave)

That's still an attack surface, certainly, but it's such a much reduced attack surface versus traditional passwords that it is much better for the median and mode threat models of average users.

I can't tell you what your threat model is, of course, and would never suggest that there aren't good reasons to be paranoid about biometric unlocks. What I can encourage: know your threat models. Figure out exactly what it is you are scared of and learn how to defend against it. (I have my own paranoia, but I also learn my mitigations: I use face ID regularly, appreciate its convenience, and I also know that holding the top two buttons [Vol Up and Lock; the "Power" button combo] on an iPhone until the system vibrates is a fast and efficient way to temporarily disable all biometric locks until I next use a device PIN or cloud password.)

[geraneum]

There are even more creative and common ways to make someone reveal their password, unbeknownst to them. Just good old phishing! Actually that’s demonstrably more probable than your face or thumb print getting stolen.

edit: typo

[npoturnak]

Great perspective, thank you for sharing. I might agree with this statement in the context of consumer authentication - when I am accessing my personal apps, websites, etc. Especially e-commerce is sensitive to login friction.

In my opinion in the business / workplace setting, "simple" has additional context to consider, such as how do you distribute a password to an employee, how do you pair password with MFA, how you manage the user records, what happens when employee forgets the password, who do you call when you need to reset a password or MFA, etc.

Therefore taking a mobile app and scanning a QR code to login is not quite hard after all...

[fedorareis]

I hear what you are saying, but I think this comment in conjunction with the parent comment speak to the bigger issue which is how do you make something easy for both IT and the end user? Yes, a solution like this may make it easier for IT to set things up and support their users but I have had the same experience as OP with similar products at companies I’ve worked at. Logging into a system now means I have to find my phone, unlock it, open the app, scan the code, and provide a biometric (or passcode) again. That’s if everything goes smoothly I might be prompted to change my phone’s password if I’m using a company phone with a password change policy, something might happen with a redirect or the app. Now I’m completely out of the zone of what I was working on.

Or I can have SSO or a password manager and be logged-in in less time then it takes me to grab my phone. As an end user I would much prefer the latter.

[shaeqahmed]

okay but what about biometric auth via fingerprint - passwordless & zero context switches (provided your device supports this)