If passkeys become a universal form of multi-factor authentication, organizations should indeed have the option to choose between sync-enabled passkeys and non-sync-enabled passkeys. This flexibility would allow organizations to align their security policies with their specific needs and risk profiles.
Additionally, in the general case, browsers should prompt users for consent before syncing passkeys across devices via cloud services like Google or Apple. This ensures that users are fully aware of where their credentials are stored and can make informed decisions about their security and privacy.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4b345b46-37f4-4676-b45e-c635ae2f18dcn%40fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKmmbYM8Wz2JfEWdwEpMCdB9DTD3m-Kgy4TwBo6wy%2BmuvgELQA%40mail.gmail.com.
Currently, users have options to choose authenticators but not the storage mechanism.
Here is an example: When we set "residentkey" to "false" for Android devices, we can achieve non-syncable credentials. However, if we give the same input to iOS devices, it should also result in non-syncable credentials. Instead, Apple overrides this input and provides syncable credentials, which is not correct.
I am explaining an example flaw in the implementation of the resident key mechanism. I am not suggesting 'residentKey' 'false' as the exact solution. I am raising a genuine concern to the FIDO board to have an option for users or organizations to choose between syncable or non-syncable controls. If it is given, I believe this would be the safest and most user-friendly authentication mechanism for all kinds of authentication purpose.
I am raising this as a question or an alternative thought for everyone to consider, in order to enhance its use cases.
Either FIDO needs to strictly enforce that all authenticators follow the rules according to the defined form inputs, or provide users with more control over their credentials.
Regards,
Sabarinathan E.
FIDO Server Developer & Enthusiast
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACZ9TyAXwEhP9TcbweUDyY6%3D2UDJCwWKqMmszCh_DuVvJdPD7g%40mail.gmail.com.