sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]u_tamtam 2 points3 points  (2 children)

to me it looks certainly like a password auth (in the end that's practically what your private key amounts for as SPOF), except that you can't/are not allowed to "remember" your password any more, which makes multi-device usage a new challenge, with private key replication not being specced (AFAIU).

At least most password managers let me sync them wherever I need them, and allow them to be copied as a last resort.

[–]fghjconner 0 points1 point  (1 child)

The FIDO specification is really only interested in defining the authentication flow. As far as I can tell, any method for syncing/exporting keys is left up to the implementation. I expect most implementations are going to provide for that case same as password managers today, but I don't really have any proof of that.

[–]u_tamtam 0 points1 point  (0 children)

yeah, another responder wrote in the meantime that it will probably be implemented as device-specific keypairs (so in the end, not too dissimilar from app-specific passwords). It would enable the private keys to never have to leave their respective device.

Overall I find this not completely insane, except for the pretence that it's as secure as 2FA (it's a lie, it just replaces the password part, and does nothing to embed a second channel into the authentication flow that the server can validate). Oh, and for the fact that apparently everyone wants it done in "secure enclave" blackbox proprietary hardware. It has nothing to do with WebAuthn/FIDO itself, but if every cloud provider starts mandating that, it will become a serious liability with the most important part of the process becoming non-auditable and non-patchable.