Re: [webauthn] Pre-Registration Discovery

Since Github, apparently, does not automatically include comments submitted through, I was requested to post them here for the record.  Sorry for the duplicate e-mail that goes out on this.

Hi Brad,

I'm not going to discuss the merits/demerits of "advertising" that I have a FIDO U2F Authenticator (its bad enough that business models are so skewed already to profit on users' private information without users
having to advertise something about themselves); but I'd like to play Devil's Advocate on this and ask the question.

What prevents the world's most well-known websites that support FIDO from displaying, on their home-page or login page, that they support strong-authentication?  And, making it the first choice for sign-ups? Let's see how many well-known sites advertise that they use strong-authentication to protect users on their home-page? - Nope; only has password. - Nope - password again. -  Whoops, a password... - Yet another password.. and - Guess what?  Password again.

Now, lets see what an obscure small business that builds an open-source FIDO Certified server does with a couple of FIDO-enabled applications it builds: - Hmmmm.. Where's the password? - What? The password is a secondary choice?

Brad, I'm not trying to ridicule your efforts at helping people use strong-authentication; I applaud your efforts - and that of all these companies who have invested time and money to integrate FIDO into their sites.  But, that's just NOT enough!!

Its not enough to claim on blogs, PR and mailing lists that a site supports strong-authentication for users.  You need to "shove it into their faces" that this is what you have now, and this is for *their* benefit.

While I recognize that the business models of these companies depend very much on making the sign-up and login process as painless as possible, I can only imagine the amount of money that is wasted in protecting these sites from constant attacks because of passwords.  I don't have the data, but I am willing to make a small wager that FIDO-enabled sites that do not make strong-authentication the first and default choice for sign-ups and logins, are reducing their overall profits by not educating people about FIDO when they first land on these home pages.

IMHO, it is *not* enough to silently protect users - it is imperative you educate them first.  Its the same old story about "giving someone a fish to eat, or teaching them how to fish".

Keep up the good work though; every little bit helps.

Arshad Noor
StrongAuth, Inc. 

GitHub Notification of comment by arshadnoor
Please view or discuss this issue at using your GitHub account

Received on Friday, 7 July 2017 22:03:52 UTC