0

Apple claims in this year's WWDC that Face ID and Touch ID count for both Possession and Inherence identity factors, because they are using Biometrics (Inherence) to access the secure element on your phone (Possession) to retrieve a unique key. See here: https://developer.apple.com/videos/play/wwdc2020/10670/

I think both claims are a stretch. For Inherence, yes, you have proved to iOS that the person who set up Face ID is again using the phone, and therefore given access to the secure key. So iOS can claim Inherence. But your app has no proof that the human possessing the phone is actually your user. Hence my app considers mobile local authentication merely a convenient Knowledge factor--a shortcut for your username and password that resolves common credential problems like human forgetfulness.

As for Possession, again, I think the claim is a stretch unless before writing the unique key to the phone's secure element you somehow prove that the possessor of the phone is your actual intended user. I suppose if you enable Face ID login immediately after account creation you can have this proof--the brand-new user gets to declare this is their phone like they get to choose their username and password. But on any login beyond the first you would have to acquire proof of Possession using an existing factor before you could grant a new Possession factor. Else a fraudster who steals credentials can claim their phone is a Possession factor by enabling Face ID; a situation made extra problematic by Apple's claim that Face ID also counts as Inherence!

Am I wrong in this assessment? Which of Knowledge, Possession, and Inherence should an app developer grant mobile local biometric authentication?

dodgertodd
  • 1
  • I think that you are debating semantics without defining your terms. "I don't consider it Inherence" isn't an argument without comparing it against definitions, not consequences. – schroeder Jun 25 '20 at 16:55
  • As for Possession, where is the key that is being retrieved? Is it only on the device? – schroeder Jun 25 '20 at 16:56
  • There is no requirement in biometrics to be able to prove actual biometric identity. Merely that the biometric measures match. – schroeder Jun 25 '20 at 16:58
  • Yes that's the gap I can't get over with considering Inherence satisfied from a multifactor authentication sense. The phone will match biometric measures, but where is the proof those measures are associate with your actual user? As for Possession, I am sure I'm mixing up technical terms and should have specified token. And yes, the phone writes it to the secure element on the device. It's accessible only by the app that wrote it and only if local authentication (Face ID) passes. Also please suggest a definition for Inherence if I am missing one. – dodgertodd Jun 25 '20 at 17:28
  • Case study from a friend at work: I use Faceid to login to my mom’s Chase account through the mobile app - but to set it up initially, I had to login as her with her username/password AND a mobile OTP sent to her phone and read to me. Via FaceId, I AM her. --- This is a sticky situation but at least mobile OTP was required in the first place. But if Face ID is enabled after only username/password, it's a disaster to consider it more than Knowledge, since all it takes is Knowledge to create the Face ID registration – dodgertodd Jun 25 '20 at 17:41
  • I think you are attributing a level of assurance and quality to biometrics as a concept than makes logical sense. Imperfect and even faulty biometric sensors are still biometrics. – schroeder Jun 25 '20 at 18:55
  • @schroeder I don't have a problem with the quality of the biometrics. My question is how to associate a biometric match to the actual human that is my user? It looks to me like a biometric match from iOS really only proves to my app that the person using the phone is the same person who knew the password last time. – dodgertodd Jun 29 '20 at 18:14

0 Answers0