What alternatives exist for users with no mobile access and disabled windows hello?

127 views
Skip to first unread message

Priyanka Parekh

unread,
Aug 25, 2023, 10:45:35 PM8/25/23
to FIDO Dev (fido-dev)
Hi,
I'm currrently exploring using FIDO passkeys for my external user base in big financial firm. But company security policy has disabled Windows Hello and some of the users on restricted floors are not allowed mobile phones.

So I'm thinking what options I've to generate a passkey for such users? Is there a possiblity to create my own authenticator using wasm and register it with OS/browser to be identified as platform authenticator?

I've done plenty of research and not come across anything which could help me in the right direction...Any feedback would be useful...

Tim Cappalli

unread,
Aug 26, 2023, 3:06:43 AM8/26/23
to Priyanka Parekh, FIDO Dev (fido-dev)
FIDO2 security keys would be your best option. 


From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Priyanka Parekh <pripar...@gmail.com>
Sent: Saturday, August 26, 2023 3:45:35 AM
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] What alternatives exist for users with no mobile access and disabled windows hello?
 
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/73d7b249-da4e-4636-8cb4-76cf353f0249n%40fidoalliance.org.

My1

unread,
Aug 26, 2023, 6:03:37 AM8/26/23
to Tim Cappalli, Priyanka Parekh, FIDO Dev (fido-dev)
at least as long as resident credential space doesnt become a problem.


Priyanka Parekh

unread,
Aug 27, 2023, 10:36:43 AM8/27/23
to My1, Tim Cappalli, FIDO Dev (fido-dev)
Is there no other option than having physical device?  How about building our own authenticator?

Tim Cappalli

unread,
Aug 27, 2023, 5:43:05 PM8/27/23
to Priyanka Parekh, My1, FIDO Dev (fido-dev)
You said your users can't have mobile phones.



From: Priyanka Parekh <pripar...@gmail.com>
Sent: Sunday, August 27, 2023 3:36:28 PM
To: My1 <teamhyd...@gmail.com>
Cc: Tim Cappalli <Tim.Ca...@microsoft.com>; FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: Re: [FIDO-DEV] What alternatives exist for users with no mobile access and disabled windows hello?
 

My1

unread,
Aug 27, 2023, 5:58:50 PM8/27/23
to Tim Cappalli, Priyanka Parekh, FIDO Dev (fido-dev)
I think a custom on-computer authenticator was meant. which is at the very least hard as windows aggressively steps in with fido.

Arshad Noor

unread,
Aug 27, 2023, 7:58:18 PM8/27/23
to Priyanka Parekh, FIDO Dev (fido-dev)
Priyanka,

Based on some of your comments in the initial posting, seeking an
Authenticator solution without defining a security policy for FIDO is
unlikely to meet company goals.

If your company has a security policy that disabled Windows Hello from
computers (it would be interesting to know the reasons for this policy,
but that's a topic of another discussion) and denies access to mobile
devices, you need to sit down with the Security folks in your company
and ask them what is the risk management policy they want to implement
for FIDO.

FIDO is not just a replacement for passwords; it is one of the most
complex authentication protocols. With the more than 100 options that
FIDO enables to define a security policy for its use, going from
passwords to FIDO is the equivalent of going from a Ford Model-T to a
Formula-1 racing machine - you have to know what you are driving if you
want to be successful in your mission.

Web application developers and Security Officers need to understand FIDO
thoroughly, define one or more security policies for its use (since
different applications have different levels of risk associated with
them) and *then* implement FIDO accordingly. The security policies will
narrow your choices and allow your company to make an informed decision
on what they have to do for different levels of risk. Any other approach
is likely to create confusion for one group or another (users,
developers, risk managers, business managers and executives).

Arshad Noor
StrongKey


On 8/27/23 7:36 AM, Priyanka Parekh wrote:
> Is there no other option than having physical device?  How about
> building our own authenticator?
>
> On Sat, Aug 26, 2023, 6:03 AM My1 <teamhyd...@gmail.com
> <mailto:teamhyd...@gmail.com>> wrote:
>
> at least as long as resident credential space doesnt become a problem.
>
>
> Am Sa., 26. Aug. 2023 um 09:06 Uhr schrieb 'Tim Cappalli' via FIDO
> Dev (fido-dev) <fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>>:
>
> FIDO2 security keys would be your best option.
>
> ------------------------------------------------------------------------
> *From:* fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org> <fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>> on behalf of Priyanka Parekh
> <pripar...@gmail.com <mailto:pripar...@gmail.com>>
> *Sent:* Saturday, August 26, 2023 3:45:35 AM
> *To:* FIDO Dev (fido-dev) <fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>>
> *Subject:* [FIDO-DEV] What alternatives exist for users with no
> mobile access and disabled windows hello?
> Hi,
> I'm currrently exploring using FIDO passkeys for my external
> user base in big financial firm. But company security policy has
> disabled Windows Hello and some of the users on restricted
> floors are not allowed mobile phones.
>
> So I'm thinking what options I've to generate a passkey for such
> users? Is there a possiblity to create my own authenticator
> using wasm and register it with OS/browser to be identified as
> platform authenticator?
>
> I've done plenty of research and not come across anything which
> could help me in the right direction...Any feedback would be
> useful...
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACNMeHexsAKT-ArSB98r%3D%2Bat4on3TzkGXcvdFCytBdNub9%2BVjA%40mail.gmail.com <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACNMeHexsAKT-ArSB98r%3D%2Bat4on3TzkGXcvdFCytBdNub9%2BVjA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

Priyanka Parekh

unread,
Aug 27, 2023, 9:35:07 PM8/27/23
to Arshad Noor, FIDO Dev (fido-dev)
I understand that Arshad and thanks for your inputs.

As I mentioned solution I'm looking for is more for external user base which span across different companies so I'm more interested in making it work for them rather than internal users at this stage...

Hence looking for a more sophisticated solution...

DUBOUCHER Thomas

unread,
Aug 28, 2023, 3:34:52 AM8/28/23
to Arshad Noor, Priyanka Parekh, FIDO Dev (fido-dev)
THALES GROUP LIMITED DISTRIBUTION to email recipients

> If your company has a security policy that disabled Windows Hello from computers (it would be interesting to know the reasons for this policy, but that's a topic of another discussion)

This is currently the only way to deactivate PIN login on Windows. If your company uses e.g. smartcards for login, you don't want your user to be able to set a 4 digit local pin to unlock your workstation. But it completely deactivate the platform authenticator.

The only way then is to have a discrete FIDO authenticator, USB token or the same smartcard.

Best regards,

--
Thomas Duboucher
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/42846683-b4c2-4074-3f88-b546fbed8e08%40strongkey.com.

Arshad Noor

unread,
Aug 28, 2023, 12:42:32 PM8/28/23
to Priyanka Parekh, FIDO Dev (fido-dev)
In that case, it is likely you are planning to support both FIDO and
your current non-FIDO authentication scheme during the transition.

One approach you could take is to define a "Minimal" FIDO policy that
enables a wide variety of choices for the consumer: platform
authenticators and security keys that support most options. You can get
a feel for what a policy like this might support at:

https://demo.strongkey.com/fidopolicy/

One cautionary thought: going with a software authenticator is likely to
create a false illusion of security. While you may end up using FIDO and
it will be passwordless authentication, you cannot trust the attestation
the software authenticator will provide since it can make up anything it
wants - as such, it will be less trustworthy than your existing
authentication schemes. (We use the software authenticator included in
our open-source FIDO Certified server to test our server by changing all
kinds of authenticator options to verify the behavior of our server).

While none of your consumers are likely to have as strict a policy as
your company, it is still a good idea to understand what you are likely
to end up with as you program the options you choose to support in your
application.

Good luck.

Arshad
> > <mailto:teamhyd...@gmail.com
> <mailto:teamhyd...@gmail.com>>> wrote:
> >
> >     at least as long as resident credential space doesnt become a
> problem.
> >
> >
> >     Am Sa., 26. Aug. 2023 um 09:06 Uhr schrieb 'Tim Cappalli' via
> FIDO
> >     Dev (fido-dev) <fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>
> >     <mailto:fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>>>:
> >
> >         FIDO2 security keys would be your best option.
> >
> >
>  ------------------------------------------------------------------------
> >         *From:* fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>
> >         <mailto:fido...@fidoalliance.org
> >         <mailto:fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>>> on behalf of Priyanka Parekh
> >         <pripar...@gmail.com <mailto:pripar...@gmail.com>
> <mailto:pripar...@gmail.com <mailto:pripar...@gmail.com>>>
> >         *Sent:* Saturday, August 26, 2023 3:45:35 AM
> >         *To:* FIDO Dev (fido-dev) <fido...@fidoalliance.org
> <mailto:fido...@fidoalliance.org>
> >         <mailto:fido...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>
> > <mailto:fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACNMeHexsAKT-ArSB98r%3D%2Bat4on3TzkGXcvdFCytBdNub9%2BVjA%40mail.gmail.com <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACNMeHexsAKT-ArSB98r%3D%2Bat4on3TzkGXcvdFCytBdNub9%2BVjA%40mail.gmail.com> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACNMeHexsAKT-ArSB98r%3D%2Bat4on3TzkGXcvdFCytBdNub9%2BVjA%40mail.gmail.com?utm_medium=email&utm_source=footer <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACNMeHexsAKT-ArSB98r%3D%2Bat4on3TzkGXcvdFCytBdNub9%2BVjA%40mail.gmail.com?utm_medium=email&utm_source=footer>>.
>

Arshad Noor

unread,
Aug 28, 2023, 12:48:25 PM8/28/23
to DUBOUCHER Thomas, Priyanka Parekh, FIDO Dev (fido-dev)
Thanks for that insight, Thomas.

However, all of the smartcards we have deployed with our PKI solutions
always allowed us to configure the PIN policy to be what the customer
required - going all the way up to 10 characters/digits, if necessary.
How can Windows Hello override such a PIN policy on an external smartcard?

Secondly, does Windows not have the ability to define a GPO to set a
policy that increases the strength of the PIN? And to also lock the
account if there are more than - say 5 - incorrect attempts? In such a
situation, would it not also impact the requirements for authenticating
to the TPM (aka platform authenticator on Windows devices)?

(We do not use Windows in our company - other than for testing - so I'm
only familiar with Windows to the extent that we have to deal with it
within PKIs).

Thanks.

Arshad

DUBOUCHER Thomas

unread,
Aug 29, 2023, 3:35:24 AM8/29/23
to Arshad Noor, Priyanka Parekh, FIDO Dev (fido-dev)
THALES GROUP LIMITED DISTRIBUTION to email recipients

Hi Arshad,

I apologize, my message was confusing.

Windows platform authenticator is configured through/linked to Windows Hello. The user configure their Windows PIN, or other unlock mechanism, e.g. biometrics. Then they use this gesture to unlock their platform authenticator.

However, if a company through GPO deactivate Windows Hello/PIN unlock in Windows, then the platform authenticator can no longer be used. Deactivating Windows Hello can be required e.g. if you use smartcard login only.

There is no way currently in Windows to:
- use the session password to unlock the platform authenticator (I'm really confused by this limitation), or
- forbid login with Windows PIN, but allow the PIN to be configured and used to unlock the platform authenticator,

Best regards,

--
Thomas Duboucher

-----Original Message-----
From: fido...@fidoalliance.org <fido...@fidoalliance.org> On Behalf Of Arshad Noor
Sent: lundi 28 août 2023 18:48
To: DUBOUCHER Thomas <thomas.d...@thalesgroup.com>; Priyanka Parekh <pripar...@gmail.com>
Cc: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: Re: [FIDO-DEV] What alternatives exist for users with no mobile access and disabled windows hello?

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/754f7b76-e74f-c3af-0028-48b8fa3c09ec%40strongkey.com.
Reply all
Reply to author
Forward
0 new messages