**Biometric Apps Will Soon Be Pushed Across the Web**
This is a bad idea:
1. You can't "reset" your biometrics like a password.
2. Biometrics aren't hashable. The end result is they're less secure than other forms of authentication. (If you don't understand what this means, you're not qualified to have an opinion on this matter.)
3. You can't control what happens to your biometrics once they're in the hands of a 3rd party.
Please re-Toot.
@profoundlynerdy Maybe I'm tripping, but why can't you salt, pepper, and hash a biometric authentication?
I'm unclear on what the reference to SHA256 is here: https://www.w3.org/TR/webauthn/#sctn-uvi-extension
Can you help me understand?
@christianbundy Absolutely. Fair question.
In a nutshell it's because no two scans of your biometrics are digitally identical. Scan your finger print a thousand times and you'll have that many slight variations from scan to scan that are within some epsilon of a "perfect" scan.
More details here:
https://hackaday.com/2015/11/10/your-unhashable-fingerprints-secure-nothing/
Enjoy the read.
@profoundlynerdy Thanks! I haven't read the article yet (starting now), but I wonder whether you could delegate biometric authentication to a TPM and/or 2FA hardware.
I suppose that's basically what we're already doing with mobile biometrics anyway? Time to read!