- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Fri, 28 Feb 2020 13:04:59 +0000
- To: public-webauthn@w3.org
There are a few things about FIDO2/WebAuthn that create confusion - unfortunately, the mess the authentication industry created over the last 20 years with the stupid "2FA" and "MFA" schemes they invented (instead of trying to make TLS ClientAuth simpler and easier) was primarily responsible for the mess. Leaving that rant aside for the moment, here are facts that might be helpful in understand what makes FIDO2 easier to work with: 1) This is the first protocol that allows users to multiple, unique cryptographic key-pairs associated with an account. For over half-a-century, people have been accustomed to associating an account with a single authentication credential, whether it is a single password or a single digital certificate + private-key, etc. FIDO shatters that paradigm and allows you to register dozens of public-keys with a website if you so choose to. When I demonstrate FIDO2, I show people that I have at least 8 public-keys registered from different devices to the demo account: a USB key, an NFC key, TouchID, Android resident-key, Windows Hello on the TPM, etc. I carry 3 different brands of Security Keys (on my keyring that has my home and car keys) to demonstrate that I've never lost that keyring or the Security Keys, and can authenticate to the same account with all these devices. Its not about affordability, or because we happen to be a FOSS FIDO2 Server manufacturer (and must consequently test with dozens of FIDO2 Authenticators); its about changing people's misconceptions that things have to be a certain way to be successfully adopted.: that there has to be one, universal FIDO2 Authenticator for the world to adopt it. Once you step back from that notion, and life becomes easier; 2) Depending on the secure element on a device, a key-pair does NOT have be locked down to a specific device - they can be ported if the secure element design supports a secure way of transporting keys from one device to another. In our experience, keys registered on a TPM can be ported to another TPM securely - through a process called "key-migration"; this has existed on TPMs since 1.2 (more than 12 years ago). I know this, because our appliances that provide key-management security have been using this capability to migrate encrypted keys from one appliance to another to establish key-management clusters for HA/DR. You can migrate signing-keys and encryption-keys (storage-keys in TPM terminology) very securely and conveniently with this TCG-defined process. However, you must have the tools to do this - the TCG spec tells you how to do this securely. What I cannot speak for are the secure elements on mobile devices and other platforms where resident keys are stored. The secure element manufacturers could attempt to provide a secure process to do this, but I wouldn't hold my breath - IMO, its cheaper to buy a $10 Security Key and use it as your own "migration tool" to create FIDO2 credentials on multiple devices to the same account. I would encourage technologists to not get too hung up on trying to shield backup and recovery procedures from end-users - the more you dumb them down, the more headaches you create for the industry because somewhere along the way, someone is going to make a mistake and FIDO2/WebAuthn could get compromised because of implementation flaws. Better to let every Authenticator manufacturer create the most secure compartment they can key management, and users just learn to spend $10 on an external Security Key as a backup/recovery device. Perhaps, we need to start calling "Security Keys" Backup Keys, Recovery Keys or Convenience Keys to get consumers educated that this is not to be shunned, but rather, to be embraced. -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-592503807 using your GitHub account
Received on Friday, 28 February 2020 13:05:01 UTC