Good question that points up a bit of contention. The screen lock is separate and apart from cryptographic software and worse yet, optional in both use and type. Added to that, neither android or iOS provide api’s to verify type and use. Thus, a strong argument can be made that screen lock is not a factor in the authentication ceremony. On the other hand, if the multi-factor cryptographic software did for example require a biometric as a condition of use then that biometric would be considered a factor.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAN%2B3J_i-o0WpO3iu-f-eqdiOMkaRte48Ghz33Ue6TY80tK_Ltg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/004e01d929ef%246d3d0b60%2447b72220%24%40att.net.
Hi Mike,
Not really. A phone is a platform facilitating running software apps. A software app could be an authenticator but that does not change the phone’s persona. If we look to NIST for guidance and specifically their definition of “Multi-Factor Authentication (MFA)” that references “Multi-Factor Authenticator” (SP 800-63-3) we learn “factors” relate to the authenticator and its authentication ceremonies, in other words the app. Using that as a guide as I prefer, then the Multi-Factor Cryptographic SOFTWARE FIDO2 authenticator app represents a single factor. If that app should also verify user identity using biometrics then it becomes 2 factors. And if the biometric verification includes a PIN then that is a third factor. I know of only one FIDO2 authenticator app thus far that delivers all 3 as described here.
Notwithstanding all of that there is also the pesky word “assumption” where reliance on screen lock is concerned. Neither Google or Apple permit an app to learn screen lock particulars. Thus the authenticator app blind to screen lock use or type or time of use, blah, blah, blah. Where screen lock is concerned, the app blindly completes the authentication ceremony as a single factor. If one prefers to accept screen lock as a factor of the authentication ceremony, they do so as an unproven “assumption”. Not exactly what NIST describes.
And yes, I see this applies even if the app is called a “Passkey”.
Rick
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAPbXJiZU%2BBXC0x%3DY9_k%3DWp2oyMdrWh1Mhe4448MnMbac734wxA%40mail.gmail.com.