I don’t understand how this could work actually. From a couple of photos on the social media you can likely recover the 3d geometry of the face. From that, if the signing algorithm is known, you should be able to replicate these passkeys.
If the algorithm is not known, it’s only a matter of time it’d be leaked or reverse engineered. And then suddenly there’d be a massive, difficult to fix security breach. Just like the breaches that we have now, with voice based authentication.
The biometrics like your face or fingerprints aren't used directly with the site you're trying to log into and would never leave your device. It's just used to unlock your phone/tablet/computer/whatever's stored secrets to sign a message verifying it's you. If you don't trust the biometric systems on your device or are worried about someone stealing them and trying to fool your device's hardware, you can always just not use them and just use a passcode/password to protect your device instead.
The problem is not that biometrics are leaking from my device. The problem is that faces are already on the social media. And that the biometrics of the face can be reconstructed extremely easily and at scale.
But if this is used only to unlock the trust zone/secrets, I guess that works. It seem to be extremely dependent on the device not getting locked up accidentally, lost or damaged. If a damage would lock you out from all of the accounts, this seems rather drastic.
If the algorithm is not known, it’s only a matter of time it’d be leaked or reverse engineered. And then suddenly there’d be a massive, difficult to fix security breach. Just like the breaches that we have now, with voice based authentication.
Can someone explain, how this can be mitigated?