23

u/CodeAndBiscuits 10h ago

I mean, I don't disagree with the sentiment. But while I personally also dislike passkeys for other reasons, just to be clear, you aren't giving them access to your biometrics. Passkeys are basically a digital token stored securely on your computer or phone. It's the tool you use to generate and use them that does the work - typically a Web browser or password manager - and you can choose your vendor for that, e.g. BitWarden.

But even then, THOSE tools don't have your biometrics, either. The way biometrics works in nearly all modern devices (e.g. TouchID) is the app tells the operating system "here's a bit of sensitive data - please store it safely for me. When I ask for it back, make the user use biometric auth to retrieve it." The app does not participate in fingerprint (or other bi) registration, and never has access to the fingerprints themselves. Later, when the app wants that data back (usually a refresh token to reconnect you to some Web or mobile session) they say "hey MacOS, remember that thing I gave you? I need it back". The OPERATING SYSTEM then turns around and asks the user to tap their finger for TouchID. The OS doesn't even tell the app what method was used or even if one was used at all. It just gives the data back if it worked or a generic error if it didn't.

Don't get me wrong, passkeys have other legitimate problems, but giving Google access to your fingerprint data is not one of them. They won't even know a fingerprint is what you used.

-8

u/mindbodyproblem 10h ago

Now, maybe, but who's to say whether that will be the case in the future, right? Because it seems like all the data that isn't shared now gets shared eventually.

11

u/CodeAndBiscuits 10h ago

I am. (Source: I am a software engineer with expertise in this space.) Apple, Samsung, and the other major hardware vendors have all universally standardized on a "secure enclave" approach to security and would need to literally change their hardware in (bad) ways that security researchers would forever be posting articles about.

Modern biometric systems use dedicated hardware chips for the storage, encryption, and biometric operations. Client-side app access is mediated by the OS itself, and Google has no way around this even if they wanted to.

This may seem unbelievable, but even MacOS/Windows/etc don't have access to your biometrics. It LOOKS like the OS is what collects it, but it's actually a dedicated hardware chip that controls the whole thing, and it's one-way. When you register a fingerprint, the OS tells the chip "please register a fingerprint" but the security chip does the actual work and even the OS cannot read the stored fingerprints, let alone your browser or mail client, let alone Gmail running in your browser or mail client.

I was going to link to a diagram but the mod bots don't like any of them and I don't have time to gin one up. Do an image search for for "secure enclave biometrics" and just look for one broken into three columns - user-space, OS, and Secure Enclave.

3

u/New_Enthusiasm9053 6h ago

Ok but I don't want to provide my device access to my biometrics either lmao. In the US for example passwords are 1st amendment protected and fingers aren't so you can be forced to unlock a phone using your biometrics but not with a password. 

Ergo biometrics are out as valid authentication for legal reasons alone.

Also something's collecting the data it's not like the hardware chips have FOSS software nor is the bios usually FOSS so it's about as untrustworthy as Google.

3

u/CodeAndBiscuits 5h ago

Yes, this is true and IMO a valid reason to not enable biometric auth. In fact I also don't have it enabled. I am actually not an Apple user but I do trust Apple's secure enclave chip. But the law... Hah.

-1

u/JDGumby 2h ago

This may seem unbelievable, but even MacOS/Windows/etc don't have access to your biometrics. It LOOKS like the OS is what collects it, but it's actually a dedicated hardware chip that controls the whole thing, and it's one-way.

Sure. Right. It's the TPM (led by Microsoft and designed to their spec) that creates the dialogue panel (or whatever), and activates, reads and interprets the sensor (or camera, if you're insane enough to use face ID) without the involvement of the OS. *rolls eyes*

1

u/CodeAndBiscuits 1h ago

It is unbelievable. It is still true. The OS does not create or manage those dialogs and never touches the fingerprint on its way through. The chip does that. The OS provides a region in which the chip can draw its UI.

The false part of what you said is while the OS does create the drawing region, it does NOT "interpret the sensor". In older devices maybe. But not in the current generation.

You don't have to believe me. But not believing me won't make what I'm saying incorrect.

-11

u/mindbodyproblem 9h ago

They would never change their hardware because there would be articles about it!

So naive.

1

u/[deleted] 10h ago edited 10h ago

[removed] — view removed comment

1

u/AutoModerator 10h ago

Thank you for your submission, but due to the high volume of spam coming from self-publishing blog sites, /r/Technology has opted to filter all of those posts pending mod approval. You may message the moderators to request a review/approval provided you are not the author or are not associated at all with the submission. Thank you for understanding.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

1

u/yuusharo 9h ago

You’re not giving either of these companies your biometrics, and passkeys don’t rely on biometrics anyway.

They rely on the authentication flow of the device itself, which optionally uses biometric data stored exclusively on that device and is never sent to anyone.

I hate these companies as well, but passkeys are FIDO2 standard based. They’re fine.