Lost Dog! User Centric ID Management (FIDO and Other Opts…
Session Topic: Lost Dog! Usercentric ID Management
Convener: Chris Edwards, Intercede
Notes-taker(s): Peter Cattaneo, Intercede
Tags for the session - technology discussed/ideas considered: User-Centric ID, FIDO, credential lifecycle management, lost/stolen devices, device migration, improved user experience
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps: Brief history of credential management. Smart Cards, HSPD-12: Enrollment, lifecycle management. Existing solutions based on centralized issuance and management model.
Support lifecycle events such as lost/stolen devices, credential updates, device migration, user termination.
Secure credentials migrating into mobile devices; multiple secure elements available. Works today with existing centralized ID systems.
User centric ID needs a different approach. Brief FIDO overview
What happens when you lose a device? How do you migrate to a new device after you’ve registered lots of sites? How can you provision multiple devices with authenticators for the same set of RPs.
FIDO does not specify these user management features. Risks:
- 1) Bad user experience
- 2) Recovery process is lower security than FIDO PK credentials creating at soft point of attack
- 1) enhance the device to enable management on a mobile device;
- 2) cloud service;
MePin.com has implemented a cloud service with similar functionality; does not yet support FIDO.
Need to make sure that FIDO specs do not contain anything that would preclude implementing this functionality.
Work to standardize functions to:
- revoke existing authenticator;
- add second authenticator; using the first authenticator for authentication.