Biometric authentication from browser now supported by eBay as passwords continue to fail users
Passwords and other knowledge-based authentication (KBA) methods continue to lose ground to biometrics and public key cryptography, with a new implementation, a perspective shared by Microsoft, and a pair of data breaches all pointing to the same conclusion.
eBay has moved to support authentication with biometrics or physical tokens instead of passwords, with the addition of WebAuthn support, becoming one of the first major ecommerce platforms to enable biometrics as a primary authentication method on web browsers, according to a company blog post.
There are 183 million registered buyers on eBay, and they can now use biometrics to authenticate themselves with fingerprints or facial recognition on biometric-enabled Android phones running Chrome 75 or higher. The company plans to extend the feature to more platforms in the future.
The eBay mobile app already features support for biometric authentication.
GitHub announced support for biometrics through WebAuthn in August.
Microsoft Cybersecurity Field CTO Diana Kelley meanwhile tells Singapore’s The Straits Times that the industry has become increasingly worried about the difficulty posed for consumers by complex passwords.
At a recent two-day cybersecurity event held at Microsoft’s Experience Centre in the country, the company showed off its technology to potential customers and partners, including for passwordless authentication.
“Password-less technology takes factors from the person such as the biometric data of their fingerprint or their face,” Kelley explains. “It combines that with what we know about the person including, for example, the hardware they are using and its components.”
She also notes that safe online practices are causing fatigue among consumers, increasing risk even among those who are aware of good cyber hygiene practices.
The vulnerability of legacy cybersecurity methods are also shown by the exposure on an unsecured server of some 1.2 billion records, totaling 4 terabytes of data, including phone numbers, email addresses, and accounts for social media and collaboration platforms, Wired reports.
The server was discovered by dark web researcher Vinny Troia, and included 622 million unique email addresses and nearly 50 million different phone numbers.
“It’s bad that someone had this whole thing wide open,” Troia says. “This is the first time I’ve seen all these social media profiles collected and merged with user profile information into a single database on this scale. From the perspective of an attacker, if the goal is to impersonate people or hijack their accounts, you have names, phone numbers, and associated account URLs. That’s a lot of information in one place to get you started.”
The IP address of the server identifies it as running on Google Cloud Services, but who owns the database is unknown. Three of the four data sets that seem to comprise the database were labelled as coming from People Data Labs, a San Francisco based company that claims to have data from 1.5 billion people for sale. It claims email addresses, phone numbers, and social media accounts are among the data it holds.
Troia reported the vulnerability to contact at the FBI, and the server was taken down or shielded. The FBI declined to comment to Wired.
A People Data Labs Co-founder told Wired the server does not belong to his company, and Troia agrees, noting that anyone who wants PDLs data can simply purchase it. He also notes a free trial offer and a quantity of “burner accounts” could be sufficient to gather it all for free.
The rest of the data may come from another data broker, Oxydata, though a company representative told Wired the company has not been breached and does not label data the same way as that in the exposed database.
As Wired points out, the mystery behind the data source indicates the significant data security and privacy issues inherent to the data brokerage business model.
Cryptocurrency wallet provider GateHub and gaming bot maker EpicBot have leaked data for nearly 2.2 million customers, combined, onto the dark web, Ars Technica reports.
The data was encrypted with bcrypt, a relatively robust hash function, but two-factor authentication keys, mnemonic phrases, and wallet hashes from 1.4 million GateHub accounts, and usernames and IP addresses for roughly 800,000 EpicBot accounts were allegedly stolen. GateHub says an initial investigation indicates wallet hashes were not, in fact, accessed.