USB Key for Azure, Google Cloud, Microsoft, Windows
92 views
Skip to first unread message
Ching Lin
Mar 24, 2021, 6:04:45 AM3/24/21
to FIDO Dev (fido-dev)
Hi,
We are a vendor making FIDO2 USB key. This month we just finished the interoperability test and passed all the items.
Now we were wondering if our USB key can be applied to Azure, Google Cloud, Microsoft and Windows logon. It seems that we need to ask these entities to put our metadata into their RP MDS. We do not know if it makes sense.
I am really looking forward to someone who would like to shed some light.
Vince
Arshad Noor
Mar 24, 2021, 7:18:27 AM3/24/21
to Ching Lin, FIDO Dev (fido-dev)
What you need to do is follow the guidance provided here, Vince:
https://fidoalliance.org/metadata/.
RP sites don't include your metadata; they (optionally) download it from
the Metadata Service provided by the FIDO Alliance (or others, if any)
and make risk-management decisions based on what is published in there.
As an Authenticator manufacturer, you have to make a business decision
on whether you wish to publish metadata statements about your brand of
Authenticator(s). If so, then you need to follow the procedures defined
at that webpage. If you have questions, there is an e-mail address at
the bottom of that page where you can seek help.
Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f1a209b5-672b-4c67-8c64-4049aac35146n%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f1a209b5-672b-4c67-8c64-4049aac35146n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
https://fidoalliance.org/metadata/.
RP sites don't include your metadata; they (optionally) download it from
the Metadata Service provided by the FIDO Alliance (or others, if any)
and make risk-management decisions based on what is published in there.
As an Authenticator manufacturer, you have to make a business decision
on whether you wish to publish metadata statements about your brand of
Authenticator(s). If so, then you need to follow the procedures defined
at that webpage. If you have questions, there is an e-mail address at
the bottom of that page where you can seek help.
Arshad Noor
StrongKey
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f1a209b5-672b-4c67-8c64-4049aac35146n%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f1a209b5-672b-4c67-8c64-4049aac35146n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
Ackermann Yuriy
Mar 24, 2021, 9:18:06 AM3/24/21
to Ching Lin, FIDO Dev (fido-dev)
Hey Ching.
MDS, and metadata is not mandatory, but advisable. FIDO Alliance is launching new MDS3 in the upcoming months, so you might be interested in that.
Another thing you might be interested is getting on Azure list of FIDO2 authenticators.
Regards. Yuriy
Yuriy Ackermann
FIDO, Identity, Standardsskype: ackermann.yuriy
github: @herrjemand
twitter: @herrjemand
medium: @herrjemand
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f1a209b5-672b-4c67-8c64-4049aac35146n%40fidoalliance.org.
Ching Lin
Mar 25, 2021, 4:08:37 AM3/25/21
to FIDO Dev (fido-dev), Ackermann Yuriy, FIDO Dev (fido-dev), Ching Lin
Thanks so much for shedding light.
So for service providers like LINE, Amazon or others that have a FIDO2 server, our authenticator is operable as long as they do update the metadata.
But like Azure AD, Microsoft..., it requires additional application to join the network. Am I right?
Vince
Philipp Junghannß
Mar 25, 2021, 4:14:58 AM3/25/21
to Ching Lin, FIDO Dev (fido-dev), Ackermann Yuriy
I am not even sure if Metadata is needed for every service because if they for example just dont ask or don't really check the attestation against the MD service, the metadata would be irrelevant.
Regards
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e4db006b-5d98-4473-af3f-857e5d3742e3n%40fidoalliance.org.
Neel Shah
Jun 4, 2021, 5:01:38 AM6/4/21
to FIDO Dev (fido-dev), Ackermann Yuriy, FIDO Dev (fido-dev)
Hi Yuriy,
While we are trying to get our authenticator on the Azure list too we need to understand if there are any specifications around one of their requirements:
Multiple accounts per RP
This feature ensures you can use the same security key across multiple services like Microsoft Account and Azure Active Directory
This feature ensures you can use the same security key across multiple services like Microsoft Account and Azure Active Directory
Here is the link:
If FIDO has such specifications can you please direct us to the said link?
Thanks
Neel.
nuno sung
Jun 7, 2021, 12:14:06 AM6/7/21
to FIDO Dev (fido-dev), Neel Shah, Ackermann Yuriy, FIDO Dev (fido-dev)
For multiple accounts per RP case
This is to help platform UI to show more plain information for user to select.
Neel Shah 在 2021年6月4日 星期五下午5:01:38 [UTC+8] 的信中寫道:
Reply all
Reply to author
Forward
0 new messages