- From: Arshad Noor <arshad.noor@strongkey.com>
- Date: Tue, 7 Jul 2020 19:52:16 -0700
- To: public-webauthn@w3.org
The problem with oversimplifying a "once in a blue moon" process to make life easier for end-users can have unfortunate side-effects of creating greater complexity of the FIDO protocol and its infrastructure, thereby leading to the morass that is today's PKI. Its far simpler to buy a $13-20 authenticator - there are 3 available in this price range on leading online marketplaces - and registering a second public key as a backup credential to the account. When a new phone is acquired, reset the old phone to factory status (thus erasing all keys on the phone and invalidating public keys of that phone on various websites). Login into the website with the inexpensive authenticator, and register a new public key with the new phone. Not only have you solved the problem of moving keys around between devices (using apps written by programmers whose knowledge of cryptography and key-management may be suspect), but you've also educated the user, permanently, about how to deal with FIDO key-management on their devices and sites. As an industry, we are better off educating users than defining more complex protocols that, while delivering very little real benefit, could potentially create vulnerability gaps that will be difficult to close after the fact. Arshad Noor StrongKey P.S. I would even encourage the W3C and the FIDO Alliance to conduct contests for short, simple documentation on how to work with FIDO keys, and hand out "FIDO Pulitzers" to winners in different categories of documentation. Get a pool of authenticator manufacturers to donate 10-20 keys each, and give out one to every writer who submits a document as a "Thank You' for their submission. It is conceivable that creative writers and graphics artists may solve the problem better than we might. On 7/6/20 8:04 PM, Ali-Amir Aldan via GitHub wrote: > I am a bit confused about a multi-device multi-website scenario and was > wondering if someone could help me out with that: > > A user uses their phone as their key and they are registered on a lot of > websites with this phone (abc.xyz, example.com, etc) via some FIDO2 > compliant authenticator app. At some point they will upgrade their phone > (get a newer Pixel/iPhone/etc) and at that time what is the spec's > recommendation for enabling the new phone on all of the existing > accounts (abc.xyz, example.com, etc)? > > There are approaches that an authenticator app could take to address > that such as "securely" migrating existing credentials to the new device > or user forcing the user to manually add the device to the websites. But > does FIDO2 provide a recommendation for which approach an authenticator > app should take? My understanding from the thread is that this might be > something outside of the specification and is the authenticator's > reliability. But this seems like very common use case and it would be > great to have a recommendation (unless it's already there and I missed it). >
Received on Wednesday, 8 July 2020 02:52:33 UTC