Is OOB implementation from Nok Nok, FIDO2 ?

[Manish Kumar]

Hello All, 

I happen to come across OOB implementation from one of the FIDO leaders, Nok Nok Labs :  https://www.noknok.com/oob-fido2-authentication/

In the implementation diagram, It is mentioned, For FIDO2 Authentication push notification is sent to the authenticator(read smartphone) over internet and user provides biometrics to authenticate.

I had an understanding that direct communication between browser and authenticator is mandatory for FIDO2 protocol to prevent phishing.

But in OOB, push notification is sent over internet from authentication server directly, making it vulnerable to phishing. 

Is it really aligned with FIDO2 specifications or just a product pitch ? With push notification over internet, doesn't it become just another PKI enabled biometric authentication ?

Best Regards,

Manish

[Fred Le Tamanoir]

wow, indeed, this is very bad usage of FIDO2 (or UAF as shown on illustrations) 

I don't think this whole solution can be FIDO2 certified, That's just a bad idea.

--

Fred

[Manikanta Bojanki]

The blog says, OOB is a feature that Nok Nok provides to extend the FIDO authentication on your mobile device to other devices that don't directly support FIDO2 authentication.

 So I think the OOB will be helpful, if the Client Device is not FIDO compatible, but your account is already registered with Mobile Authenticator. So the OOB Authentication may not be FIDO certified, as it might only be used in the devices which are not FIDO compatible.