Episode 062: 11‐05‐2024 Reflecting on FIDO's evolution to passkeys - GluuFederation/identerati-office-hours GitHub Wiki
Title: Reflecting on FIDO's evolution to passkeys
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Yuriy Ackermann, FIDO Guru
- Co-Host: Jari Takkala, Engineer
Description
What were passkeys before 2022? What are the passkeys today? What is missing?
Homework
Takeaways
⚡ Originally platform passkeys generated unique private keys and were unique to a device (e.g. TPM). Now device bound platform keys are deprecated and usability is de-prioritized in the browser.
⚡ Now platform passkeys synchronize private keys to a "passkey provider". This solution is great for consumers because it prevents phishing and offers recovery. Better than social login, passkeys prove the user is physically present.
⚡ Security keys are best for enterprise. Synched platform passkeys are not "MFA." Because the the private keys are present on multiple devices, passkeys do not prove a unique "something you have".
⚡ Enterprises find it hard to justify platform passkey rollouts. Passkeys don't aid in compliance with common workforce MFA requirments because they are only one factor (e.g. SOC, ISO). Unfortunately this means increasing adoption of phishable MFA technologies like "Email OTP" and "SMS OTP".
⚡ When you look at the attack surface area, there is a huge difference between different authentication workflows. Passkey and email OTP are both one "factor". But how much risk does each mitigate? We need a more nuanced way to look at authentication "factors".