3A/ High Security Use Cases in “Passkeys” era

From IIW

High-security Use Cases in “passkeys” Era

Session Convener: Kosuke Koiwai

Notes-taker(s): Nat Sakimura

Tags / links to resources / technology discussed, related to this session:

FIDO, passkey, levels of assurance, passkeys, WebAuthN, multi-device credentials, NIST SP800-63

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The session discussed about multi-device authenticators, commonly known as “passkey”.

The basic question posed in the session by Kosuke was how an application become aware of the change of assurance level with the introduction of the muti-device authenticator. For this, we needed to know more about the multi-device authenticators, so Time Cappali explained the basics. What we have learned were:

  • multi-device authenticators are phishing resitant authenticator like the existing FIDO platform authenticators but is synchronized among the devices so the user experience is improved.
  • its target is something better than password though admittedly lower than FIDO 2 security keys.
  • Old platform authenticators will not be turned into multi-devcie authenticators so they are not degraded in terms of security level.
  • with the introduction of multi-device authenticators, choices that are available to RPs are Create a multi-device authenticator or stop accepting platform authenticators.

Then a very lively discussion on what change in security properties result from it. John Bradley argued that it is isomorphic to federation but it was argued back. However, it was agreed that security properties are indeed changed from what many organizations have been assuming: keys are not exportable.

Then, we also discussed the implication of a new extension called Device public key (DPK). DPK creates a second public-private key pair to identify the “device”. DPKs can be cleared.

We learned that in a few days three major platform vendors will release multi-device credential capabilities to WebAuthN, which is kind of a password manager of FIDO credentials. It will be very convenient in one perspective, but that means now we can’t just assume that FIDO credential is bound to a hardware. If your risk profile is not in favor of this change, then you have to do something such as asking for another authentication factor. It is happening soon but there is no silver billet. We also talked about the implication of this change to NIST SP800-63.



GROUP PICTURE: See image(s) for these notes in the IIWXXXIV Book of Proceedings here: