Log in confirmation dialog box by default even when using biometrics

  • New Wordpress Plug-In Forum
    Guest:

    Just a note that we have a new forum to contain discussions relating to the Wordpress plug-in which Daniel Persson originated and has been making great progress on. You'll find it under "Server-Side Solutions."

    /Steve.

Fabrice Neuman

Active member
Mar 11, 2019
37
10
France
www.pro-fusion.biz
Hi,

Each time I log in with SQRL using FaceID on my iPhone, I think that I would prefer having to confirm the login instead of being logged in automagically. The reasoning is this: even though the app displays the site URL to make sure I log in to the right website, I have no possibility to say "oops, no, don't log in" if the QR code was actually spoofed in any way. Another URL would be shown, but it would be too late for me not to log in. The Windows version of the app prevents this type of spoofing but, as we know, the mobile apps can't do that. Basically, it means I would prefer having the "advanced options" toggle ON by default, just to have this additional layer of security.

And I would probably also like to be able to activate/deactivate the "advanced options" feature before scanning the QR code.

Any thoughts?

P.S. : Sorry if I missed something in the settings somewhere.
 

Vela Nanashi

Well-known member
May 19, 2018
633
107
For face and iris recognition I think there definitely needs to be a button to press to verify you want to accept it, for fingerprint I am not sure if it would be needed, but having an option to decide how one wants that to work, is a good idea I think.

Also adding a checkbox set to whatever the option is set to [X]Confirm biometrics with button. Or you know something less techy :) would work to have next to the QR code :)
 

PHolder

Well-known member
May 19, 2018
918
124
This is off topic to the question above:

Well, I didn't design SQRL, but personally, I feel like the model needs to be adjusted anyway. It should be deemed to safe to have the first SQRL interaction with any site at no risk. This would be when the client would query the site "who are you?" and get a link to the site info. This would require the site to have a public key though. That way, if you had been to the site before, you would have stored the public key, and the first interaction would have the site confirm it knows the proper private key. The would strongly reduce an attackers ability to spoof a site.

The point (as it ties to the above question) is that the client would need your password to do any interactions, but entering your password (or your faceID) wouldn't imply you approve the site. For that, once the unlock has occurred, you would need to see a page with info about the site with a pair of buttons on the bottom that say "Yes, authorize login" or "No, abort communication".
 

Jeffa

Well-known member
May 20, 2018
133
49
For face and iris recognition I think there definitely needs to be a button to press to verify you want to accept it, for fingerprint I am not sure if it would be needed, but having an option to decide how one wants that to work, is a good idea I think.

Also adding a checkbox set to whatever the option is set to [X]Confirm biometrics with button. Or you know something less techy :) would work to have next to the QR code :)
Yep, it needs to change