Biometric Authentication

Discussion in 'Forum Software Development' started by zappaDPJ, Jul 26, 2017.

  1. One year

    0 vote(s)
    0.0%
  2. Three years

    3 vote(s)
    14.3%
  3. More than five years

    18 vote(s)
    85.7%
  1. ManagerJosh

    ManagerJosh Adherent

    314
    105
    +118
    But all phone manufacturers, app developers, cellular network providers and operating system providers are trustworthy?
     
  2. emanuele

    emanuele Bugs Developer

    452
    197
    +200
    Where is the option "hopefully never"? :p
     
  3. Gus

    Gus Enthusiast

    158
    33
    +67
    More than a forum owner. ;)
     
  4. ManagerJosh

    ManagerJosh Adherent

    314
    105
    +118
    Why trust an app developer more than a forum owner?
     
  5. Gus

    Gus Enthusiast

    158
    33
    +67
    Why does it matter? My point is forums don't need biometric authentication, message boards aren't that serious.
     
  6. we_are_borg

    we_are_borg Administrator

    5,313
    1,417
    +2,098
    Well we have sites that are more then message boards the would like to have this, when its done correctly. With that i mean an API that you can access for the phone or tablet or some interface on PC, so that only a OK (login credentials and password is send) or INVALID (nothing is send only that its not the person) is transmitted back to the site.
     
  7. LeadCrow

    LeadCrow Apocalypse Admin

    6,383
    1,232
    +2,154
    Websites themselves wont have that capability for at least 10 years. A native app is required to obtain and use biometric input for true authentication, no ifs, no buts.

    Otherwise you're just using a password manager where your site passwords are stored, and your biometric input is only used to unlock the password manager and the site never realizes you tried to login using biometric anything.
    Some hardware chips simply the credential storage but they're usually restricted to specific sites or services, a portion of whose functions are already a system component so you dont need extra apps or frameworks to handle it. It's not a perfect solution, but physical ownership of tokens is a more comfortable solution since biometric authenticators can be replaced if broken, stolen or made vulnerable and also revoked if needed.
     
  8. Zylantex

    Zylantex Adherent

    493
    247
    +71
    Just because we can do it doesn't mean we should do it.
    So called progress for its own sake is a waste of effort.
     
  9. Ryan Ashbrook

    Ryan Ashbrook IPS Developer

    3,493
    1,127
    +662
    Yes, typically - these types of things typically use secure tokens to link the account and the security feature. The site would never actually hold the biometric data itself - that would be a huge security issue, up there with storing credit card information locally (if a site does that, it's doing it wrong).
     
  10. Chris D

    Chris D XenForo Developer

    766
    952
    +1,747
    I'm more optimistic than some that such support will be available sooner rather than later; it just depends on when/if they'll make the relevant APIs available. It's really the same ball park as things like Apple Pay and Android Pay which can be supported by websites now with relative ease. Apple Pay specifically is even authenticated by default with your Touch ID finger print so I don't see it as being too much of a stretch to see it within a few years.
     
    • Like Like x 3
    • Informative! Informative! x 1
    • List
  11. Gus

    Gus Enthusiast

    158
    33
    +67
    I would hope so.
     
  12. we_are_borg

    we_are_borg Administrator

    5,313
    1,417
    +2,098
    Well under European laws biometric information is a special information that must be protected and i mean not how a website is protected. Also if you have a break in in those systems the fines can be in the 4 to 6 figures. So unless only tokens or API is used i would never allow this on my site even if people begged me to.
     
  13. zappaDPJ

    zappaDPJ Administrator

    6,692
    1,342
    +5,274
    It's interesting to note the level of fear surrounding something that's taken for granted by millions of people everyday who use it to access their phones, computers, cars, bank accounts, schools, places of work... the list is endless. What's so different about accessing a forum?

    I'm glad to see the developers who have responded aren't quite so worried.

    I agree. No one method of authentication has proved foolproof and until that happens 2FA is imperative.

    I would like to think biometrics will be active on forums within the next three to five years. I'm absolutely positive it'll be in use on other social platform long before that.
     
  14. LeadCrow

    LeadCrow Apocalypse Admin

    6,383
    1,232
    +2,154
    Servers, sites and forumware scripts get hacked all the time.

    With passwords and emails as identifiers, you can shrug that and change them anytime that happens.
    With fingerprints, you're cooked for life, and biometric data obtained anywhere could be used on other services (to authenticate as you, or sign you up to paid services without your permission), it only needs to be stolen once.
     
  15. zappaDPJ

    zappaDPJ Administrator

    6,692
    1,342
    +5,274
    All valid points but biometric technology is still seen as streets ahead in terms of security and it's improving all the time. Personally I'm not particularly worried about the scenario you've described even though I think it's valid. I'm far more concerned about the implications for privacy. The potential for misuse, particularly by government agencies is worrying.
     
  16. Chris D

    Chris D XenForo Developer

    766
    952
    +1,747
    It needs to be stressed that of course no forum software developer would ever want to directly store any biometric information belonging to their customers/users. It's just an insane notion. It's tantamount to storing passwords in plain text or storing credit card information (but worse, as you noted). It just wouldn't happen.

    I'm sure I speak for all of the other forum software developers when I say that it would only be a feasible inclusion if it was some sort of web API provided by the device manufacturer, much like Apple or Android Pay, where the process is handled via secure tokens or some sort of OAuth style approach where there's no need for the software to receive or store anything that anywhere near resembles the actual raw biometric input.

    To me it seems perfectly feasible for the future, and I'm fully confident that kind of approach would be 100% safe.
     
    • Agree Agree x 3
    • Like Like x 1
    • List
  17. Ryan Ashbrook

    Ryan Ashbrook IPS Developer

    3,493
    1,127
    +662
    Agreed.
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  18. Klaatu

    Klaatu Fan

    588
    322
    +575
    Biometric authentication while using Brivium add-ons?

     
    • Funny Funny x 2
    • Winner Winner x 1
    • List
  19. fixer

    fixer I'm In My Prime

    1,675
    647
    +1,016
    why i bought gunring.com on the godaddy auction house

    soon police will wear rings mated to thier guns to prevent someone else from disarming them and using it against them

    finger print on an iphone should be implemented for forum log on i think thats pretty cool
     
  20. R0binHood

    R0binHood Habitué

    1,222
    432
    +952
    You can apparently already get it integrated if you get a GoNative Mobile App Wrapper for your forum. Seems a tad pricey though!

    https://gonative.io/pricing

    I love the TouchID authentication on the Amazon app.
     
    • Informative! Informative! x 1
    • List
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.