- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Fri, 28 Feb 2020 15:38:46 +0000
- To: public-webauthn@w3.org
I don't disagree with the current economics @mamartins / @Oloompa. $10 is too expensive for APAC. For now. But, all new technologies go through this curve. What some industries should recognize is that it will be less expensive for them to give away Security Keys to customers than to waste time/money with all the other crap they buy/implement to do "risk scoring" on the back-end to minimize breaches and fraud.
Privacy laws are going to force companies to make a trade-off: do they just force consumers towards FIDO2 - a privacy protecting protocol (so long as you don't use a third-party IDP) - or waste more time/money trying to protect PII that they glean from the users platform? I think the economics are already in favor of forcing users towards FIDO2. The EU doled out 500M Euro of fines in 18 months of GDPR; California's Consumer Privacy Act ('the American GDPR) will allow consumers to sue companies for $750 per record per occurrence of a breach of PII; and California considers anything that can uniquely identify an individual to be PII, including IP addresses, "browser fingerprints", GPS locations, etc. Many US states are getting ready to pass their own privacy laws modeled along the lines of the CCPA (thanks to an incompetent Congress in Washington D.C.).
What makes sense in the long-run is for banks, brokerages, lawyers, accountants, etc. to start giving out a Security Key with their brand label to new customers who open accounts with them; for automobile companies to embed a FIDO2 Authenticator in their key-fobs; for car-rental companies and hotels to give away their branded FIDO2 keys to their Gold customers (I abandoned Marriott hotels after 25 years of using them and having achieved Platinum status because of their breach - I cannot tell you how many times I asked them to implement FIDO authentication on their site over the last 5 years); for luxury brand jewelry companies to embed secure elements within their watches, rings, necklaces, ear-rings, and for computer/laptop companies to include a FIDO2 Authenticator with each new computer purchased (in addition to the embedded secure element on their desktop/laptop).
Does this add costs to the product the consumer is buying? Yes, it does. But, considering the cost of what they're spending for the _other_ product they're buying, the $5 Security Key embedded in their primary product will be negligible and irrelevant. Not only will consumers win with a backup/recovery key on their key-chain, but so will Relying Party sites because they can eliminate some of the useless security products they buy to mitigate their risks on the back-end. And, they will be able to claim Strong Customer Authentication for GDPR, PSD2, CCPA, PDPA and all the other privacy laws that will blanket the world eventually.
We all need to see the future for what it will make possible for us if our systems and applications were more secure - not get bogged down with the current debris of passwords and 2FA/MFA junk that prevents us from achieving a more secure future.
--
GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-592568002 using your GitHub account
Received on Friday, 28 February 2020 15:38:48 UTC