Linux

54541 readers

848 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

[email protected]

Passwords are okay, impulsive Internet isn't (www.dedoimedo.com)

submitted 1 week ago by [email protected] to c/[email protected]

19 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 9 points 1 week ago (2 children)

Can someone explain to me how using biometrics rather than a password/pin to protect from unauthorized access to your passkeys doesn't violate the "something you have" and "something you know" principle of multi-factor authorization? Most of these implementations seem squarely geared at user convenience at the cost of actual security.

[–] [email protected] 9 points 1 week ago (1 children)

Passwords can be secure when the end user picks a strong one. But that is the biggest problem with them, the end user. They don't pick good passwords and decades have shown us the general public are bad at passwords.

Passkeys are not biometrics. They are much simpler. In a very simple way you can think of them as a secure long random password that is stored on you device, generated per device, and not sent over the wire to the other side (so more like public/private key cryptography I believe).

The passkey on your device can be stored in an encrypted vault or even secure hardware that requires a pin/password or key to unlock.

They are not getting rid of multifactor codes and can be used with them. But by protecting them locally you can still have 2 factors to access them - the hardware/vault that contains them and the pin/password/biometric that unlocks the vault. And that is in addition to server side multifactor systems.

But even without all that you still gain massive benefits over passwords as it stops cross site comprises when one sites gets their password database leaked. Or brute forcing access to systems by guessing weak passwords that most people use.

[–] [email protected] 6 points 1 week ago (1 children)

https://en.wikipedia.org/wiki/Multi-factor_authentication :

Something the user has - device/token
Something the user knows - password/pin
Something the user is - biometrics

[–] [email protected] 1 points 1 week ago

This assumes a pin is used, which according to the WebAuthn wikipedia page is not generally the case:

The illustrated flow relies on PIN-based user verification, which, in terms of usability, is only a modest improvement over ordinary password authentication. In practice, the use of biometrics for user verification can improve the usability of WebAuthn.

The way I read this, a pin is even too much for the end-user and biometrics replace it for usability.