How to login, after user deletes the passkeys from authenticator (mobile phone)
68 views
Skip to first unread message
Dummy Account
Sep 12, 2023, 6:56:06 AMSep 12
to FIDO Dev (fido-dev)
Hi,
Now, assume, user has deleted the passkeys from the phone, then how he will be abe to login into example.com since the flag is enabled?
Please help me to find the solution for the use case mentioned above.
Thanks,
consider this scenario, I have registered my mobile device as an authenticator with example.com, and user has enabled the flag to to use fido authenticator as a one more added factor for authentication.
Now, assume, user has deleted the passkeys from the phone, then how he will be abe to login into example.com since the flag is enabled?
Please help me to find the solution for the use case mentioned above.
Thanks,
Yash
My1
Sep 12, 2023, 7:17:31 AMSep 12
to Dummy Account, FIDO Dev (fido-dev)
unless he has other webauthn credentials, e.g. a FIDO Device like a Yubikey or one of the many other options out there, or alternate 2FA methods like TOTP, the user would not easily get in without help, similar to a forgot password situation, where a recovery flow would be needed.
Regards
My1
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d0de2774-286c-4ecf-84e0-530027916fd4n%40fidoalliance.org.
Arshad Noor
Sep 12, 2023, 7:40:50 AMSep 12
to Dummy Account, FIDO Dev (fido-dev)
If you want the benefits of stronger security, you need to make a small
investment in the capability - not just by enabling MFA in your account
settings, but making sure you get yourself a Security Key that does NOT
release its private key out of the device, and make that your backup to
the platform authenticator.
Security Keys are not that expensive considering the long-term benefits:
- Hardware device on your keychain that is always with you;
- Private key does not leave the device (verify this though);
- Backup authenticator on every FIDO site that supports resident keys;
- Optionally, supports PIN/biometric capability for user verification;
- So easy to use that even a child can be trained to use it effectively.
An opportunity completely being ignored by manufacturers of computer
gear (laptops, mobiles, tablets, etc.) is that they have chosen not to
include a "free" Security Key (with their logo) bundled with the
computer. Not only would this have dramatically reduced the cost of a
Security Key in markets, but it would have put more than one in
everybody's pockets without making a material difference to the price of
the gear. Pity!
Arshad Noor
StrongKey
investment in the capability - not just by enabling MFA in your account
settings, but making sure you get yourself a Security Key that does NOT
release its private key out of the device, and make that your backup to
the platform authenticator.
Security Keys are not that expensive considering the long-term benefits:
- Hardware device on your keychain that is always with you;
- Private key does not leave the device (verify this though);
- Backup authenticator on every FIDO site that supports resident keys;
- Optionally, supports PIN/biometric capability for user verification;
- So easy to use that even a child can be trained to use it effectively.
An opportunity completely being ignored by manufacturers of computer
gear (laptops, mobiles, tablets, etc.) is that they have chosen not to
include a "free" Security Key (with their logo) bundled with the
computer. Not only would this have dramatically reduced the cost of a
Security Key in markets, but it would have put more than one in
everybody's pockets without making a material difference to the price of
the gear. Pity!
Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d0de2774-286c-4ecf-84e0-530027916fd4n%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d0de2774-286c-4ecf-84e0-530027916fd4n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
My1
Sep 12, 2023, 7:51:26 AMSep 12
to Arshad Noor, Dummy Account, FIDO Dev (fido-dev)
The Biggest issue with Physical FIDO Devices next to Smartphone Passkeys is the issue of credential storage. The passkey spec iirc says that the site should request Resident keys, and most of the well known FIDO Devices' storage capabilities are frankly a joke compared to the amount of sites that expect you to make an account for them.
After all this is not just a thing that the user has to think about but the website too. if now every website went passkeys and asks for 2 (e.g. a phone and one physical) to be safe, that wouldn't end well considering e.g. Yubikeys have only support for 25 RKs and even the Solo last time I checked stopped at about 50, and only a handful I know reach or even surpass 100 (the highest being 128)
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b0db65ca-958a-5282-6d02-413717bf44d6%40strongkey.com.
Arshad Noor
Sep 12, 2023, 8:05:12 AMSep 12
to My1, Dummy Account, FIDO Dev (fido-dev)
I agree that storage is an issue - but, if you think about it, most
people really need a backup for less than 25 sites that they might use
most frequently - personally, I frequent less than 10. For all other
sites they could just use platform authenticators and whatever (less
secure) Account Recovery scheme the site offers. Its all about applying
appropriate risk-management, isn't it?
Arshad
On 9/12/23 4:51 AM, My1 wrote:
> The Biggest issue with Physical FIDO Devices next to Smartphone Passkeys
> is the issue of credential storage. The passkey spec iirc says that the
> site should request Resident keys, and most of the well known FIDO
> Devices' storage capabilities are frankly a joke compared to the amount
> of sites that expect you to make an account for them.
>
> After all this is not just a thing that the user has to think about but
> the website too. if now every website went passkeys and asks for 2 (e.g.
> a phone and one physical) to be safe, that wouldn't end well considering
> e.g. Yubikeys have only support for 25 RKs and even the Solo last time I
> checked stopped at about 50, and only a handful I know reach or even
> surpass 100 (the highest being 128)
>
> Am Di., 12. Sept. 2023 um 13:40 Uhr schrieb Arshad Noor
> <arsha...@strongkey.com <mailto:arsha...@strongkey.com>>:
> > <mailto:fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>>.
>
people really need a backup for less than 25 sites that they might use
most frequently - personally, I frequent less than 10. For all other
sites they could just use platform authenticators and whatever (less
secure) Account Recovery scheme the site offers. Its all about applying
appropriate risk-management, isn't it?
Arshad
On 9/12/23 4:51 AM, My1 wrote:
> The Biggest issue with Physical FIDO Devices next to Smartphone Passkeys
> is the issue of credential storage. The passkey spec iirc says that the
> site should request Resident keys, and most of the well known FIDO
> Devices' storage capabilities are frankly a joke compared to the amount
> of sites that expect you to make an account for them.
>
> After all this is not just a thing that the user has to think about but
> the website too. if now every website went passkeys and asks for 2 (e.g.
> a phone and one physical) to be safe, that wouldn't end well considering
> e.g. Yubikeys have only support for 25 RKs and even the Solo last time I
> checked stopped at about 50, and only a handful I know reach or even
> surpass 100 (the highest being 128)
>
> Am Di., 12. Sept. 2023 um 13:40 Uhr schrieb Arshad Noor
>
> If you want the benefits of stronger security, you need to make a small
> investment in the capability - not just by enabling MFA in your account
> settings, but making sure you get yourself a Security Key that does NOT
> release its private key out of the device, and make that your backup to
> the platform authenticator.
>
> Security Keys are not that expensive considering the long-term benefits:
>
> - Hardware device on your keychain that is always with you;
> - Private key does not leave the device (verify this though);
> - Backup authenticator on every FIDO site that supports resident keys;
> - Optionally, supports PIN/biometric capability for user verification;
> - So easy to use that even a child can be trained to use it effectively.
>
> An opportunity completely being ignored by manufacturers of computer
> gear (laptops, mobiles, tablets, etc.) is that they have chosen not to
> include a "free" Security Key (with their logo) bundled with the
> computer. Not only would this have dramatically reduced the cost of a
> Security Key in markets, but it would have put more than one in
> everybody's pockets without making a material difference to the
> price of
> the gear. Pity!
>
> Arshad Noor
> StrongKey
>
> On 9/12/23 3:56 AM, Dummy Account wrote:
> > Hi,
> > consider this scenario, I have registered my mobile device as an
> > authenticator with example.com <http://example.com>, and user
> If you want the benefits of stronger security, you need to make a small
> investment in the capability - not just by enabling MFA in your account
> settings, but making sure you get yourself a Security Key that does NOT
> release its private key out of the device, and make that your backup to
> the platform authenticator.
>
> Security Keys are not that expensive considering the long-term benefits:
>
> - Hardware device on your keychain that is always with you;
> - Private key does not leave the device (verify this though);
> - Backup authenticator on every FIDO site that supports resident keys;
> - Optionally, supports PIN/biometric capability for user verification;
> - So easy to use that even a child can be trained to use it effectively.
>
> An opportunity completely being ignored by manufacturers of computer
> gear (laptops, mobiles, tablets, etc.) is that they have chosen not to
> include a "free" Security Key (with their logo) bundled with the
> computer. Not only would this have dramatically reduced the cost of a
> Security Key in markets, but it would have put more than one in
> everybody's pockets without making a material difference to the
> price of
> the gear. Pity!
>
> Arshad Noor
> StrongKey
>
> On 9/12/23 3:56 AM, Dummy Account wrote:
> > Hi,
> > consider this scenario, I have registered my mobile device as an
> has enabled the flag to to use
> > fido authenticator as a one more added factor for authentication.
> >
> > Now, assume, user has deleted the passkeys from the phone, then
> how he
> > will be abe to login into example.com <http://example.com> since
> > fido authenticator as a one more added factor for authentication.
> >
> > Now, assume, user has deleted the passkeys from the phone, then
> how he
> the flag is enabled?
> > Please help me to find the solution for the use case mentioned above.
> >
> > Thanks,
> > Yash
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "FIDO Dev (fido-dev)" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>
> > Please help me to find the solution for the use case mentioned above.
> >
> > Thanks,
> > Yash
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "FIDO Dev (fido-dev)" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to fido-dev+u...@fidoalliance.org
> > <mailto:fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d0de2774-286c-4ecf-84e0-530027916fd4n%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d0de2774-286c-4ecf-84e0-530027916fd4n%40fidoalliance.org> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d0de2774-286c-4ecf-84e0-530027916fd4n%40fidoalliance.org?utm_medium=email&utm_source=footer <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d0de2774-286c-4ecf-84e0-530027916fd4n%40fidoalliance.org?utm_medium=email&utm_source=footer>>.
> >
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>.
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b0db65ca-958a-5282-6d02-413717bf44d6%40strongkey.com <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b0db65ca-958a-5282-6d02-413717bf44d6%40strongkey.com>.
>
Reply all
Reply to author
Forward
0 new messages