Biometrics Support?

[drunkenblueberry]

Hello, I stumbled upon this project recently when learning about WebAuthn/FIDO2. I like what this project aims to do and I might even be interested in contributing sometime.

One thing I was curious about is whether biometrics (I'm mainly interested in fingerprint readers) is something this project will support. Fingerprint readers in particular are brokered by fprintd, and I wonder if an integration with this DBus service has been considered.

If these plans do exist, please consider documenting them. I was not able to find them, though maybe I was too hasty.

[iinuwa]

Hi! Thanks for participating!

I would like to eventually support releasing passkeys created with the platform authenticator using biometrics. I have not considered exactly how we should accomplish that.

These two articles summarize the security considerations: "On-device WebAuthn and What Makes It Hard To Do Well" and "Why does Gnome Fingerprint Unlock Not Unlock the Keyring?".

In short, there's no secure way to associate a fingerprint match with a secret if you don't trust the OS.

Now, our threat model excludes root privilege escalation, kernel exploit, hardware attacks, and D-Bus attacks, so it would actually be fine under our threat model to release keys based on include fingerprint matching: fprintd is set up by root and runs as a system service user, so you'd have to escalate beyond the user process to impersonate it. Even though other OSes have stronger guarantees doesn't necessarily mean that we should discourage users from using this, if that may mean that users would choose instead not to use passkeys at all due to inconvenience. (Using passkeys on a device that is vulnerable to malware and hardware attacks is still more secure than using passwords on a device that is also vulnerable to malware and hardware attacks.)

Some things I would want from the fprintd response though:

• Confirmation that the biometric was matched-on-sensor
• Once implemented in fprintd and supported drivers, confirmation that the match was done over a secure connection (TLS, Secure Device Connection Protocol)

PAM and Polkit can be used to achieve user verification generally, but if we decide to have a separate device PIN for user credentials, then we wouldn't be able to use PAM (or Polkit?), as I don't think it gives you back information about which authentication method was exercised.¹ Windows Hello does this, but macOS does not (you either use biometrics or account password for UV), so we have a decision to make. Once the decision about PINs is made, then we can determine what to do with biometrics.

Footnotes

1. I could definitely be wrong about this: I'm remembering some offhand comment from a forum a couple years ago, not based on my experience or documentation. ↩