Larger Attack Surface on User’s Device
I today take up this The Register report — “Client-side content scanning as an unworkable, insecure disaster for democracy” https://www.theregister.com/2021/10/15/clientside_side_scanning/
Glancing over this worrying report, I found this paragraph especially eye-catching; “It goes on to look at all the potential problems with CSS systems. These include the possibility of abuse by authorized and unauthorized parties, as well as local adversaries — a user’s partner, ex-partner, other family member, or rival who has access to the user’s device.”
This kind of threat is supposed to be mitigated by a secure login. In this aspect, we know that Apple is shooting itself in the foot by increasing the attack surface (=increasing the vulnerability) of the login security as the result of adding a probabilistic back door of biometrics login such as TouchID and FaceID on top of the deterministic front door of a default pincode/password.
If there is nothing particularly wrong in using two authenticators in a ‘two-entrance’ deployment for convenience’s sake, it is absolutely wrong to lead the consumers to wrongly believe that the security has been improved.
Actually, it has brought down identity security, spreading a false sense of security among consumers.
Well, as for the security effect of deploying two authenticators in ‘multi-entrance’ deployment (as against ‘multi-layer’ deployment), you might well be interested in these posts -
“Biometrics is to Password what Back door is to Front door”
“Step-by-Step Analysis of Why and How Biometrics Brings Down Security”
“Get graphs to talk the nature of probabilistic biometrics”
For Achieving Solid Digital Identity on Information Security Buzz (Mar/2021)
< Videos on YouTube>