Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

To All FIDO DEVELOPERS

148 views
Skip to first unread message

Sabarinathan Eaganathan

unread,
Jun 27, 2024, 3:20:37 AM6/27/24
to FIDO Dev (fido-dev)

If passkeys become a universal form of multi-factor authentication, organizations should indeed have the option to choose between sync-enabled passkeys and non-sync-enabled passkeys. This flexibility would allow organizations to align their security policies with their specific needs and risk profiles.

Additionally, in the general case, browsers should prompt users for consent before syncing passkeys across devices via cloud services like Google or Apple. This ensures that users are fully aware of where their credentials are stored and can make informed decisions about their security and privacy.

Regards,
Sabarinathan.
FIDO Server developer.

Tim Cappalli

unread,
Jun 27, 2024, 6:23:08 AM6/27/24
to Sabarinathan Eaganathan, FIDO Dev (fido-dev)
Did you intentionally send the same message to the list again as a new thread? 


--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4b345b46-37f4-4676-b45e-c635ae2f18dcn%40fidoalliance.org.

Sabarinathan Eaganathan

unread,
Jul 1, 2024, 5:33:35 AM7/1/24
to Tim Cappalli, FIDO Dev (fido-dev)
Yes, I shared it as a separate thread to raise the question of why FIDO does not provide the option to choose between syncable and non-syncable passkeys.

My1

unread,
Jul 1, 2024, 5:40:43 AM7/1/24
to Sabarinathan Eaganathan, Tim Cappalli, FIDO Dev (fido-dev)
Key point tho is that the browser isnt the one in control of the sync but rather the authenticator (aka your phone) so that would likely be the best place to ask especially also if there are multiple sync targets available like having multiple google accounts on your phone, so check where to sync to.

Tim Cappalli

unread,
Jul 1, 2024, 5:49:52 AM7/1/24
to Sabarinathan Eaganathan, FIDO Dev (fido-dev)
It's not a "FIDO" thing. Users choose their authenticators. 

Sabarinathan Eaganathan

unread,
Jul 1, 2024, 6:19:48 AM7/1/24
to Tim Cappalli, FIDO Dev (fido-dev)

Currently, users have options to choose authenticators but not the storage mechanism.

Here is an example: When we set "residentkey" to "false" for Android devices, we can achieve non-syncable credentials. However, if we give the same input to iOS devices, it should also result in non-syncable credentials. Instead, Apple overrides this input and provides syncable credentials, which is not correct.

I am explaining an example flaw in the implementation of the resident key mechanism. I am not suggesting 'residentKey' 'false' as the exact solution. I am raising a genuine concern to the FIDO board to have an option for users or organizations to choose between syncable or non-syncable controls. If it is given, I believe this would be the safest and most user-friendly authentication mechanism for all kinds of authentication purpose.

I am raising this as a question or an alternative thought for everyone to consider, in order to enhance its use cases.

Either FIDO needs to strictly enforce that all authenticators follow the rules according to the defined form inputs, or provide users with more control over their credentials.

Regards,
Sabarinathan E.
FIDO Server Developer & Enthusiast

Tim Cappalli

unread,
Jul 1, 2024, 6:40:16 AM7/1/24
to Sabarinathan Eaganathan, FIDO Dev (fido-dev)
By choosing an authenticator, you're choosing form factor, features, security, etc. Some authenticators only create passkeys. Some can create both passkeys and server-side credentials. 

The default authenticators available to consumers create passkeys by default. 

"...which is not correct"

That is your opinion :)

"I am raising a genuine concern to the FIDO board to have an option for users or organizations to choose between syncable or non-syncable controls."

Consumers already have this choice, and as I mentioned in your original thread, for workforce scenarios, there are numerous options available to you today.

Tim

My1

unread,
Jul 1, 2024, 10:35:51 AM7/1/24
to Tim Cappalli, Sabarinathan Eaganathan, FIDO Dev (fido-dev)
I think he is not talking about the choice the user makes but rather that the RP should be able to choose/filter based on things like sync modality etc.

also wasnt the last consensus that everything passwordless is a passkey but there are things added to be specific like "device-bound passkey"


Regards

Reply all
Reply to author
Forward
0 new messages