Handling Shared Devices

[johnsm...@gmail.com]

Hi All, 

It occurs to me that as FIDO is adopted further in the consumer space there is the likelihood of FIDO2 registrations and authentication journeys occurring on devices that are shared. 

For example, John and Jane are a couple and both have access to the same Apple iOS device. The Apple OS Platform Authenticator allows both John and Jane to register a native biometric template (see Apple Alternative Face ID). 

An authentication event can now be an attestation of John or Jane. 

Of course, any authentication event could in theory come from anyone in the case where the Platform Authenticator fallback (e.g. iOS Passcode) is used/known to multiple parties. So this is not an entirely novel scenario.

However, I am interested if anyone else has thought about how to consider this shared device use case and if there are any considerations to how to identify or manage multi party device usage within a FIDO flow or otherwise. 

Thanks!

[Philipp Junghannß]

I would guess a lot would be similar compared to how normal FIDO devices work with multiple accounts on one RP.

If we are talking about resident keys you get a selection dialog which account you want to sign in (like I have a few different MS365 accounts for admining places at work, and I just enter my FIDO2 PIN and then get the list.)

However, if we are talking about classic credentials instead which are partially stored on the server it's even easier than that, as you have to enter your username so you are forced to actually tell the site who you are trying to log in as.

however in both scenarios all users who share the on-device authentication can log in using those credentials.

On Android tablets one could go and enable multi-user which properly splits contexts and would make sure you can only login using your credentials as authentication is also split accordingly.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/a512f975-0331-42a9-95d5-45e8cb56eaf6n%40fidoalliance.org.

[Emil Lundberg]

Hi,

In most cases, if they both are authorized to use the authenticator, then by extension they are both authorized to access the account. If such credential sharing is against a service's terms of service, the service would have to manage that like they would any other kind of credential sharing. For example, some banks in my area prohibit customers from sharing their login credentials (smart cards & PINs, etc.) in the service contract, even though they have little or no technical countermeasures against sharing. The WebAuthn and CTAP2 protocols do not grant any ability to distinguish individual persons using the same authenticator (except if the authenticator supports the uvi extension, but I don't know of any that do).

Emil Lundberg

Software Engineer | Yubico

--

[Philipp Junghannß]

even uvi wouldnt be able to distinguish between different fingers vs different people using a device, like on my phone I have 3 fingers in for different ways I grip the phone, or my FIDO stick has prints of both hands because I could use it on either side, and that's not even including the fact that when the fp sensor screws up I'll just go with the fallback which has its own id, so trying to pin it to a single UV point might make stuff worse in the end.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CANMnvkyfsiK5wb-uFQ4rLTiDBxaJuKZa5pF8zuU1nHtV44KoMA%40mail.gmail.com.

[Rick]

This idea chills one to the bone. The very idea of a shared authenticator undermines authentication trust, the trust an RP places in the authentication ceremony. Oh, and btw AffirmID Auth supports both UV and UP.

[Philipp Junghannß]

A shared authenticator can make sense, like when you have an account that is shared by multiple people like a company account on a social network or whatever