Passwordless = secretless ?
Lately I have been seeing more writing on how pernicious password are, than usual. Not all of which by vendors of passwordless solutions. These vendors’ product fall in the categories password-vaults, with or without browser plugins; or Single Sign-on solutions , with or without user federation. Sometimes coupled with biometrics-based authentication.
Why this recent rise in such writing should have happened, is not hard to figure. With home offices during the pandemic, users have had more experience with passwords in a corporate setting – and tech support have been correspondingly more strained by it.
That the use of passwords have problems need not be laboured. It does.
The only mercy on that front is that finally the virtue of frequently changing passwords have been seriously questioned. The more often something is changed, the more likely it is to be written down, or be derivative of past password or well-known information. This is obvious to anyone who has passwords, but apparently not to those writing policy on their management.
Complex and unique passwords rarely changed, are better than derivative passwords often changed.
What’s the alternative ? SSO – you login once and the session is essentially reused where ever needed; mitigates the problem, but can be a bear to setup. Federation: you login once and the ID itself is shifted around; Very secure but even more work to set up. Password vaults? Default in browser; weak security. Plugin with off-browser storage; Can be quite nice but still password protected. And neither of the above support off-browser logins.
Having set up plenty of SSO and federation solutions in my time, I am no stranger to what an ordeal such implementations can be. Password-vaults in browsers are a lot easier in this regard. Yet they still have passwords since the user’s accounts have them. If letting your browser store your password is not “on”, there are plugin solutions that do the same thing and store that password centrally (Okta is an example). Not all applications are browser-based of course. So you have stand alone password vaults that lets you store and retrieve at will. But those vaults have passwords themselves (which at least addresses the problem with browser’s default password vault – no protection). So the problem of passwords just shifted.

Enter biometrics. Not As Bad As It Used To Be, is the phrase that most commonly follows any mention of biometrics. Face scanning is no longer just for Bond villains. Regular people do it too. Finger print scanning is more reliable, as in actually allowing you access, but has been regularly fooled by photographs of fingers. Or actual fingers, as seen in any number of movies. Not that getting out the bolt cutter is needed. Getting hold of the fingerprints of a person is trivially easy. Face even more so. Assuming the scanner is not fooled by a mere picture held up in front of it, 3D printing will get the job done. 3D printing a face from a mere picture ? Ever heard of a stereoscope; Older than the cinematograph. Of course 3D printing a face from some sneakily obtained pictures is a serious commitment. And at the moment doable only for dedicated specialists. There will be an app for that within 5 years.
Ever notice that the cases appearing in the press over the last decade or so , where law enforcement officials had difficulties accessing a persons electronic devices. None of these devices were protected by biometrics. Ever wonder why?
Passwords are secrets. In the crypto literature they are not even called passwords but rather secrets. Something only you know. The provision of which proves you are you. Biometrics are by definition not secret. Obscure perhaps, but never secret. Law-enforcement loves biometrics. As well they should.
Fundamentally, replacing password with biometrics is like saying that you have no true secrets.
Let me flesh that last bit out a little. Secret is not a scalar quantity as they say in mathematics. There is more to it. A vector, as it were. Specifically: secret from whom is that extra dimension.
To say you have a secret it to say you have a secret from someone, possibly everyone. It is fundamentally a statement defining a group of persons: Those who have access to the secret. Only one person perhaps – you.
Password security is knowledge based and biometrics security is object based. And objects are not secret in the way knowledge can be. Access to those objects can not be controlled in the way access to knowledge can be. The group with access to the object is never of one.
Does this mean biometric authentication is a red herring. Or worse. No. Access control is a risk management implementation. There various authentication mechanisms are selected to match the level of identity assurance required. But to say that biometrics are always more secure than passwords it to overlook it’s intrinsic weakness: it isn’t secret.

A new, even-lower from Facebook aka. deception where you most expect it

When you post a link on Facebook , FB does a retrieval from where the link points to and sets up a little display of what that is. A small picture and some text collected from the page. To show you what’s at the end of the URL

And also shows the URL in full. This is where you are supposed to click. Those with some HTML knowledge, know that what is actually used by the browser when going to a link is not the text displayed on the page, which is meant to be human readable (and is contained inside the “a”-tags in the html) , but something else buried inside the markup (in the href attribute of the a-tag.  )

Most browsers show this true URL in the small bar at the bottom of the page when you hover the mouse of the URL. So you can see whare you are going before you click. Everyone should always se where they are about to go, before clicking. This is why I loath and fear link shorteners such as bit.ly, mush used by among others Linkedin (yes, Linkedin I am looking at you. Stop, stop, stop, stop doing that! Just Stop It !). since this makes looking at the real URL of a link before clicking pointless.

Enter Facebook. Trust them to go even lower. What they have done is to insert some javascript that shows the URL where you will end up on the browser bar when you hover over the link. But that is not where you go. You go to Facebook along with a tracking cookie. Then Facebook forwards you to your destination (The URL show on the page and on the browser bar). Along with yet another tracking cookie.

An example. Someone sent me a link in FB.

https : //www.youtube.com/watch?v=JFozGfxmi8A%26fbclid%3DIwAR2zZCr0sL4fK4e8j1ryxM0TPEG9xx3hd3A1dGk_JymRVNoV_QXGmUDMpPs

This is the link show in the bowser bar and is where you’d have reason to think you are going.

But this is where you actually go

https : //l.facebook.com/l.php?u=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DJFozGfxmi8A%26fbclid%3DIwAR2zZCr0sL4fK4e8j1ryxM0TPEG9xx3hd3A1dGk_JymRVNoV_QXGmUDMpPs&h=AT1L4MNrBbYwyU4ze1nB3HUjfFQkoe5rq4i03bK3UtgTXK5PWiD-r721CMIZHl40J6XIf5n1EOHDq6MsfNYYcFMRCSnxmJBAKcjGT3wFyTN2tiPe7L-EVXkPAkd4c9yzwd0kzlcaa08oGcgYX0k_NAb0_GAHTw&__tn__=R]-R&c[0]=AT0ZA5Vg7zjuFtOFS7aRmqMPT-xnxv6lOAxQm5SgwNAfkvX8d8Her7MMmIUgEl3R7P7QAinPyU-rhi67C_Yhfbdn2jc3-3xtWgZQqGRCg7-_Kob-6kWjvRVHQpTwly3y5efDT9xme_Z-MT8GR1xn

To see this value, slink use the “copy link address” in the right-click context menu on the link.

Breaking to down:

Yep, were off to facebook alright.

https : / / l . facebook . com / l.php?

And here is where we were told we’re going.

u=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DJFozGfxmi8A%26fbclid%3DIwAR2zZCr0sL4fK4e8j1ryxM0TPEG9xx3hd3A1dGk_JymRVNoV_QXGmUDMpPs&

and here is the tracking cookie

h=AT1L4MNrBbYwyU4ze1nB3HUjfFQkoe5rq4i03bK3UtgTXK5PWiD-r721CMIZHl40J6XIf5n1EOHDq6MsfNYYcFMRCSnxmJBAKcjGT3wFyTN2tiPe7L-EVXkPAkd4c9yzwd0kzlcaa08oGcgYX0k_NAb0_GAHTw&

__tn__=R]-R&

c[0]=AT0ZA5Vg7zjuFtOFS7aRmqMPT-xnxv6lOAxQm5SgwNAfkvX8d8Her7MMmIUgEl3R7P7QAinPyU-rhi67C_Yhfbdn2jc3-3xtWgZQqGRCg7-_Kob-6kWjvRVHQpTwly3y5efDT9xme_Z-MT8GR1xn

There we have it. Facebook, when clicked takes them to Facebook first.

Not altogether unrelated. Facebook also take other steps to prevent users from ferreting out what they are up to. Try switching on the web console on you browser and Facebook send instructions to you browser to switch it off. Yes, repeating that last bit. FB actually sends JavaScript to your browser to kill the web console if you have it running in your browser. That is some shit.  The redirect is not through the HTTP 403 but rather trough JavaScript in the html page being sent. That JavaScript kills the webconsole as well as directing your browser to the desired destination. And setting some cookies.

You can switch on the webconsole again and if you do you are presented with the following message.

Sorry, that is in Swedish (I am behind a proxy)They claim , rightly, that this tool you are seeing this message in is for developers.

Of course, I still have plugins such as HTTP Header Live and HTTP-Tracker which FB can’t touch.

So FB are not only actively trying to deceive their users about what they are doing, they are also taking direct steps to prevent that deception from being uncovered.

Sorry, that is in Swedish (I am behind a proxy)They claim , rightly, that this tool you are seeing this message in is for developers.

Of course, I still have plugins such as HTTP Header Live and HTTP-Tracker which FB can’t touch.

So FB are not only actively trying to deceive their users about what they are doing, they are also taking direct steps to prevent that deception from being uncovered.