I have a question about Google Password Manager in Chrome!
On my Mac, I used to unlock Internet Identity using my fingerprint. However, I’ve noticed that on a new device using Chrome, Google Password Manager no longer uses fingerprint authentication. Is this expected behavior, or is there a setting I might be missing?
On Safari, you can still use fingerprint authentication to access Internet Identity.
Isn’t it a step backward in terms of security if fingerprint authentication is no longer used in the Chrome browser?
I haven’t heard or read of any changes in Chrome nor Google Password Manager.
Internet Identity uses “userVerification: preferred”, which is the default and doesn’t require biometrics if the device doesn’t support them. More info here.
On my side, I use 1Password, and the biometrics are used only after some inactivity time. My guess is that maybe Google Password Manager started doing something like this. While the user seems to be the real user, don’t prompt for the biometrics. If the user behaves weirdly or hasn’t had any activity, request biometrics. This is just my guess, though.
I dont know about fingerprint passkeys for chrome, i have an older desktop pc running linux for over 8 years, not likely to change that. found it impossible to obtain an internet identity without security FIDO U2F. i tried to use an older samsung S2 with fingerprint button all seemed well untill i had an Android update, lost access to stoic wallet with 300 ICP plus some other assets i was transferring from Plug and Bitfinity. I ve lost all trust in the current wallets and keep my main ICP holding with A fully licensed broker/exchange in Europe, its unlikely i will be handing over my holdings to any of the current unregulated apps and wallets on the IP ecosytem, unfortunately my holdings on bitfinity have grown again well over 15k anf it gives me no sense of comfort at all, other than that it is accesible with a mmemonic pass phrase much more reliable than a passkey!
The reference gets stored in browser cache, so update probably deleted the cache. The verbage that key is stored in TPM is gonna get a lot of people. You gotta go deep in the weeds to realize that simply clearing your browser cache wipes it.
Multiple devices is useless of they are in the same location and your house burns down… Giving it to a “trusted person” is another vector. Seedphrase you can encrypt it/shard/send to cloud. Basically the advertised “simplicity” seems irresponsibly dangerous for average folk.
Another issue i see is recovery phrase. You register it on hot device. What if you have malware on your device while registering the recovery phrase?
But then say you dont add recovery phrase, since II is session based, is it possible for maleware to register a phrase once you authenticate a session? I don’t know, but if someone could go in detail on how that is impossible or possible.
But I wouldnt use II to stake anything substantial.