This is not a compelling argument that 2FA is reduced to 1FA. You need either: something you have (phone) and something you are (face), OR something you have (phone) and something you know (passcode). In either case, there are still two factors. For a criminal to perform shoulder surfing and theft, more things must go right for them than to do either individually.
This makes some good points. Slightly off its main topic, can iOS or an app treat Face ID and passcode auth differently, or are they completely unified?
For example, it would make a lot of sense to treat them differently for Apple Pay fraud detection, since passcode + device compromise seems a lot more likely in the real world than compelled Face ID.
On Android at least, even if you know a device's PIN and can add new fingerprints, doing so will cause all apps to reject all future fingerprint authentication attempts (and force you to go through a manual reenrolling process that will require another type of authentication, which depends on the bank).
It makes the conclusions of types 1 and 4 very different.
Shoulder surfing a passcode isn’t failure of two factor back down to a single factor.
This would be the same as shoulder surfing your card pin and then stealing or cloning your card. There were two factors, the attacker just has access to both.
They needed an authenticated app and the pin at that point which is two factors. Because both are related to your iPhone means nothing, both your card’s pin and your card are related to your card and both can be compromised by the exact same attack with the exact same consequences.
I've seen a lot of services (none banks so far) move over to requiring a One Time Password in addition to a password or private key as a way to get "2 factor authentication".
Problem is, people catch on that with some `expect` scripting and a few open source packages you can still just automate it to be 1 factor, just adding a bit more complexity to eventually leak the user's credentials.
For instance on an iPhone, you can register a new face for FaceID if you know the passcode.
I stopped here... at least on iPhone, this doesn't work. When a new face is scanned into FaceId, all apps using that FaceId are supposed to (forced to?) re-authenticate.
> an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence (or factors) to an authentication mechanism.
and concludes with (emphasis mine):
> For the average user, the smartphone has become a single point of failure, where the theft of one device and one piece of knowledge (the passcode) can lead to total financial compromise.
Compromising the smartphone can let you get the password though, making it one factor. It would be more 2FA if you entered password on one device and used another (Yubikey, physical totp token) as a second factor.
> Passkeys, particularly when bound to a physical security key
And _only_ when bound to a physical security key. Unfortunately by tying into the marketing of passkeys, there is going to be a pervasive assumption that ecosystem/on-device passkeys are just as secure.
Overall a good set of points, and I think it highlights the issues with a lot of the lauded 'convenience' factors in the Apple ecosystem.
(Yes, I'm linking YouTube because unlike popular belief, some channels are actually informative, or some make it easy for us to understand the content.)
I would never use my fingerprint for authentication, because it's a flawed concept. The problem is, that your fingerprint is not a password. It's more like a username. That's because you leave your fingerprint everywhere, it's practically public information. The same can be told about your face.
So the threat model is someone physically stealing your phone and guessing/seeing your password. The #1 proposed solution is a Yubikey. Can't they steal that too?
(1) Their use of public-key cryptography is not quantum safe (against quantum computing). In contrast, passwords are very much quantum safe.
(2) They are tied to the provider. Why on Earth would I want to have the provider own my passkeys? Why would I want this vendor lock-in for my authentication?
(3) What if I want multiple accounts for a site? Some passkey vendors may support them, while others may not.
I realize this post is on a .ch domain, but in a US context "2FA" is a complete anti-feature. As a bank customer, the most important thing you can do to secure your account is to promptly check for unauthorized transactions. Anything that increases the friction to regularly logging in thus makes it harder to maintain your own security.
> Thieves actively exploit this by “shoulder surfing” a victim’s iPhone passcode before stealing the device
If someone is using biometrics how often are they really using their pin that this would at all be a valuable tactic? I very rarely actually need to enter my pin on my phone so this largely seems like a moot point?
Like yeah it is still technically possible but if we really get down to it, if someone were to get learn the pin than passkey is equally worthless since they could also use my phone then to authenticate anything passkey. Fairly surprised that software based passkeys are just skipped here since I doubt most people are using hardware based passkeys, particularly on mobile devices.
I think there is a bigger (not just banking) discussion to be had about what can be done your phone's pin. But with the convenience of biometrics set an actually strong password for your phone instead of a 4 or 6 digit code.
17 comments
[ 3.0 ms ] story [ 34.6 ms ] threadFor example, it would make a lot of sense to treat them differently for Apple Pay fraud detection, since passcode + device compromise seems a lot more likely in the real world than compelled Face ID.
Edit: there's a newish feature, Stolen Device Protection, that works along these lines - https://support.apple.com/en-us/120340
It makes the conclusions of types 1 and 4 very different.
This would be the same as shoulder surfing your card pin and then stealing or cloning your card. There were two factors, the attacker just has access to both.
They needed an authenticated app and the pin at that point which is two factors. Because both are related to your iPhone means nothing, both your card’s pin and your card are related to your card and both can be compromised by the exact same attack with the exact same consequences.
Problem is, people catch on that with some `expect` scripting and a few open source packages you can still just automate it to be 1 factor, just adding a bit more complexity to eventually leak the user's credentials.
I stopped here... at least on iPhone, this doesn't work. When a new face is scanned into FaceId, all apps using that FaceId are supposed to (forced to?) re-authenticate.
> an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence (or factors) to an authentication mechanism.
and concludes with (emphasis mine):
> For the average user, the smartphone has become a single point of failure, where the theft of one device and one piece of knowledge (the passcode) can lead to total financial compromise.
Looks like 2FA to me, not 1FA.
And _only_ when bound to a physical security key. Unfortunately by tying into the marketing of passkeys, there is going to be a pervasive assumption that ecosystem/on-device passkeys are just as secure.
Overall a good set of points, and I think it highlights the issues with a lot of the lauded 'convenience' factors in the Apple ecosystem.
https://www.youtube.com/watch?v=tJw2Kf1khlA
(Yes, I'm linking YouTube because unlike popular belief, some channels are actually informative, or some make it easy for us to understand the content.)
I would never use my fingerprint for authentication, because it's a flawed concept. The problem is, that your fingerprint is not a password. It's more like a username. That's because you leave your fingerprint everywhere, it's practically public information. The same can be told about your face.
(1) Their use of public-key cryptography is not quantum safe (against quantum computing). In contrast, passwords are very much quantum safe.
(2) They are tied to the provider. Why on Earth would I want to have the provider own my passkeys? Why would I want this vendor lock-in for my authentication?
(3) What if I want multiple accounts for a site? Some passkey vendors may support them, while others may not.
If someone is using biometrics how often are they really using their pin that this would at all be a valuable tactic? I very rarely actually need to enter my pin on my phone so this largely seems like a moot point?
Like yeah it is still technically possible but if we really get down to it, if someone were to get learn the pin than passkey is equally worthless since they could also use my phone then to authenticate anything passkey. Fairly surprised that software based passkeys are just skipped here since I doubt most people are using hardware based passkeys, particularly on mobile devices.
I think there is a bigger (not just banking) discussion to be had about what can be done your phone's pin. But with the convenience of biometrics set an actually strong password for your phone instead of a 4 or 6 digit code.