All-in on Passkey guidance requested
65 views
Skip to first unread message
Joe Watkins
Sep 27, 2024, 7:44:05 PMSep 27
to FIDO Dev (fido-dev)
Hello,
Hopefully this is the right forum to ask a general question about going all in with Passkey.
Would it be a wise move for a large company to go all in on Passkey and Bio-auth as the only mechanisms for authentication to access the goods and services of that company?
I have reservations from a digital accessibility perspective related to excluding users who might not be able to [or want to] work through these flows. Is it still too early to go all-in where the company could totally remove user/pass auth?
Industry leaders already using Passkey, and other more modern authentication methods still all allow for password or something as a backup authentication method.
I see FIDO design principle #4 speaks to this but would love expert opinions closer to the metal.
"For consumers to remain in control of their experience and to engender trust with your brand, provide clear options related to creating and managing passkeys. Allow them to create accounts with or without a passkey. Allow them to create a new password upon password reset or create a passkey instead."
I see FIDO design principle #4 speaks to this but would love expert opinions closer to the metal.
"For consumers to remain in control of their experience and to engender trust with your brand, provide clear options related to creating and managing passkeys. Allow them to create accounts with or without a passkey. Allow them to create a new password upon password reset or create a passkey instead."
Shane Weeden
Sep 27, 2024, 9:05:25 PMSep 27
to Joe Watkins, Dev FIDO
Interesting question and there’s no one right answer. A lot has to do with heritage (aka legacy) systems in your enterprise and in some cases your choices of enterprise software technology providers.
Regards,
Shane.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d1536601-eae2-4c6a-b408-83ccd6514f92n%40fidoalliance.org.
Arshad Noor
Sep 28, 2024, 4:32:12 AMSep 28
to Joe Watkins, FIDO Dev (fido-dev)
This is a business strategy decision, Joe; not a technical one. I've
been a member of the FIDO ecosystem for over a decade, and do believe it
is feasible for a site to be completely password-free (notwithstanding
my opinion about synchronized passkeys[1]).
If your market is a developed country where the cost of a Security Key
is affordable (in the US for example, you can buy one for less than $10
on eBay, but averages to around $15), this is a reasonable policy.
The business could provide helpful information that educates consumers
about the security & privacy benefits of having the 'secret' that
controls their FIDO credential within their possession 100% of the time,
and how it can be on the same physical key-chain as their house or
vehicle keys. (Its a lot better than the helpful e-mails I get about
choosing the right password from various financial institutions).
Most middle-class residents of developed countries can even afford 2
Security Keys so they have a backup for account recovery. If the
business wishes to build loyalty to their brand, they could even OEM
them from manufacturers with their logo on it, and give them to loyal
customers, or subsidize them to affirm their commitment to the consumers
security & privacy.
The business website can also enable creating a backup FIDO credential
for them on their mobile device, laptop or desktop using a platform
authenticator - such as a TPM or Secure Element ensuring that their
'secret' to the credential is also physically stored on that device, and
is not sent into an opaque cloud for storage.
In the off-chance there are a small percentage of users who cannot
acquire one or work with one, rather than force them to create a
password and burden the business website with highly attackable secrets,
its better to simply send them a link to their e-mail and offload that
authentication burden to their mail-service provider - and consider
having a human follow up with them to understand their reticence in
using a Security Key. You may find that a simple human conversation can
allay their fears of appearing ignorant and overcome their hesitance to
acquire Security Keys.
If you find that cost is truly an issue for them - then the business can
choose to make a decision if it is worthwhile giving away Security Keys
to customers to earn their loyalty, and completely eliminating the
ongoing burden of what to do about that small percentage of customers
without a Security Key.
In the decade of working with FIDO, I find it appalling that billion
dollar companies would rather debate over this issue for years,
continuing to place their companies and its customers at risk rather
than reduce their IT budgets (password management, password coding,
higher cybersecurity insurance, monitoring for password breaches,
dealing with password phishing scams) and simply putting those savings
into building brand & customer loyalty with free Security Keys to all
customers.
Arshad Noor
StrongKey
[1]
https://www.linkedin.com/pulse/would-you-trust-your-bank-both-keys-safe-deposit-box-arshad-noor/
On 9/25/24 4:52 PM, Joe Watkins wrote:
> Hello,
>
> Hopefully this is the right forum to ask a general question about going
> all in with Passkey.
>
> Would it be a wise move for a large company to go all in on Passkey and
> Bio-auth as the *only* mechanisms for authentication to access the goods
been a member of the FIDO ecosystem for over a decade, and do believe it
is feasible for a site to be completely password-free (notwithstanding
my opinion about synchronized passkeys[1]).
If your market is a developed country where the cost of a Security Key
is affordable (in the US for example, you can buy one for less than $10
on eBay, but averages to around $15), this is a reasonable policy.
The business could provide helpful information that educates consumers
about the security & privacy benefits of having the 'secret' that
controls their FIDO credential within their possession 100% of the time,
and how it can be on the same physical key-chain as their house or
vehicle keys. (Its a lot better than the helpful e-mails I get about
choosing the right password from various financial institutions).
Most middle-class residents of developed countries can even afford 2
Security Keys so they have a backup for account recovery. If the
business wishes to build loyalty to their brand, they could even OEM
them from manufacturers with their logo on it, and give them to loyal
customers, or subsidize them to affirm their commitment to the consumers
security & privacy.
The business website can also enable creating a backup FIDO credential
for them on their mobile device, laptop or desktop using a platform
authenticator - such as a TPM or Secure Element ensuring that their
'secret' to the credential is also physically stored on that device, and
is not sent into an opaque cloud for storage.
In the off-chance there are a small percentage of users who cannot
acquire one or work with one, rather than force them to create a
password and burden the business website with highly attackable secrets,
its better to simply send them a link to their e-mail and offload that
authentication burden to their mail-service provider - and consider
having a human follow up with them to understand their reticence in
using a Security Key. You may find that a simple human conversation can
allay their fears of appearing ignorant and overcome their hesitance to
acquire Security Keys.
If you find that cost is truly an issue for them - then the business can
choose to make a decision if it is worthwhile giving away Security Keys
to customers to earn their loyalty, and completely eliminating the
ongoing burden of what to do about that small percentage of customers
without a Security Key.
In the decade of working with FIDO, I find it appalling that billion
dollar companies would rather debate over this issue for years,
continuing to place their companies and its customers at risk rather
than reduce their IT budgets (password management, password coding,
higher cybersecurity insurance, monitoring for password breaches,
dealing with password phishing scams) and simply putting those savings
into building brand & customer loyalty with free Security Keys to all
customers.
Arshad Noor
StrongKey
[1]
https://www.linkedin.com/pulse/would-you-trust-your-bank-both-keys-safe-deposit-box-arshad-noor/
On 9/25/24 4:52 PM, Joe Watkins wrote:
> Hello,
>
> Hopefully this is the right forum to ask a general question about going
> all in with Passkey.
>
> Would it be a wise move for a large company to go all in on Passkey and
> and services of that company?
>
> I have reservations from a digital accessibility perspective related to
> excluding users who might not be able to [or want to] work through these
> flows. Is it still too early to go all-in where the company could
> totally remove user/pass auth?
>
> Industry leaders already using Passkey, and other more modern
> authentication methods still all allow for password or something as a
> backup authentication method.
>
> I see FIDO design principle #4 speaks to this but would love expert
> opinions closer to the metal.
>
> "For consumers to remain in control of their experience and to engender
> trust with your brand, provide clear options related to creating and
> managing passkeys. Allow them to create accounts with or without a
> passkey. Allow them to create a new password upon password reset or
> create a passkey instead."
>
>
> I have reservations from a digital accessibility perspective related to
> excluding users who might not be able to [or want to] work through these
> flows. Is it still too early to go all-in where the company could
> totally remove user/pass auth?
>
> Industry leaders already using Passkey, and other more modern
> authentication methods still all allow for password or something as a
> backup authentication method.
>
> I see FIDO design principle #4 speaks to this but would love expert
> opinions closer to the metal.
>
> "For consumers to remain in control of their experience and to engender
> trust with your brand, provide clear options related to creating and
> managing passkeys. Allow them to create accounts with or without a
> passkey. Allow them to create a new password upon password reset or
> create a passkey instead."
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d1536601-eae2-4c6a-b408-83ccd6514f92n%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d1536601-eae2-4c6a-b408-83ccd6514f92n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages