Based on some of your comments in the initial posting, seeking an
Authenticator solution without defining a security policy for FIDO is
unlikely to meet company goals.
If your company has a security policy that disabled Windows Hello from
computers (it would be interesting to know the reasons for this policy,
but that's a topic of another discussion) and denies access to mobile
devices, you need to sit down with the Security folks in your company
and ask them what is the risk management policy they want to implement
FIDO is not just a replacement for passwords; it is one of the most
complex authentication protocols. With the more than 100 options that
FIDO enables to define a security policy for its use, going from
passwords to FIDO is the equivalent of going from a Ford Model-T to a
Formula-1 racing machine - you have to know what you are driving if you
want to be successful in your mission.
Web application developers and Security Officers need to understand FIDO
thoroughly, define one or more security policies for its use (since
different applications have different levels of risk associated with
them) and *then* implement FIDO accordingly. The security policies will
narrow your choices and allow your company to make an informed decision
on what they have to do for different levels of risk. Any other approach
is likely to create confusion for one group or another (users,
developers, risk managers, business managers and executives).
On 8/27/23 7:36 AM, Priyanka Parekh wrote:
> Is there no other option than having physical device? How about
> building our own authenticator?
> On Sat, Aug 26, 2023, 6:03 AM My1 <teamhyd...@gmail.com
> at least as long as resident credential space doesnt become a problem.
> Am Sa., 26. Aug. 2023 um 09:06 Uhr schrieb 'Tim Cappalli' via FIDO
> Dev (fido-dev) <fido...@fidoalliance.org
> FIDO2 security keys would be your best option.
> *From:* fido...@fidoalliance.org
>> on behalf of Priyanka Parekh
> *Sent:* Saturday, August 26, 2023 3:45:35 AM
> *To:* FIDO Dev (fido-dev) <fido...@fidoalliance.org
> *Subject:* [FIDO-DEV] What alternatives exist for users with no
> mobile access and disabled windows hello?
> I'm currrently exploring using FIDO passkeys for my external
> user base in big financial firm. But company security policy has
> disabled Windows Hello and some of the users on restricted
> floors are not allowed mobile phones.
> So I'm thinking what options I've to generate a passkey for such
> users? Is there a possiblity to create my own authenticator
> using wasm and register it with OS/browser to be identified as
> platform authenticator?
> I've done plenty of research and not come across anything which
> could help me in the right direction...Any feedback would be
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit