After reading this very interesting and well-written document shared by @chirano I am confident that if you own more than one device, even from different vendors, you are in for a pleasant experience.
Using a phone or a computer with biometric input with no option to use manual password entry is not acceptable, and I don’t think any consortium of any tech companies can make that concept work due to both political considerations (blowback on facial recognition etc) and practical considerations (millions of US citizens dependent on government services, always behind in technology including ID).
As often said in DoD contexts: “Hope is not a strategy.”
I already use ID.me and/or login.gov for access to multiple government and a few other sites from all my devices, so FIDO will be a simple transition once implemented.
ID.me works to authenticate your status to Apple as a vet, but doesn’t get you into DFAS. Neither does login.gov. Also, what about Social Security and Medicare? Are you enrolled in either yet?
Maybe “FIDO will be a simple transition once implemented” or maybe it won’t. When will it be implemented? DFAS has a new page trumpeting two factor authentication…whoopee.
I’d be happy to hear about how you’ve overcome differences between gov’t sites or methods to minimize ID requirements. Often, I have to use Firefox because the latest version of Safari just doesn’t work. Never mind using a third party VPN. Solutions?
It shouldn’t be a problem then, as the announcement states:
Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN.
How does this work if you’re at a random computer that’s not yours (a friend’s or public terminal) and you want to sign in to an account to check something? At the moment, I can simply open 1Password on my phone and look up the password. Manually typing it into the computer is a small hassle but not a big deal. But I would not want to somehow associate my phone with the computer.
I currently use Yoti to access various government services, and on my Mac it presents a QR code on my screen which I scan with the Yoti app (on my phone it hands off between Safari and the Yoti app as you’d expect). This is easy, works well, and seems secure. Will such an option be available with the FIDO solution? (Or maybe this is the system Yoti is already using behind the scenes?)
1 Like
I’m not an expert at this, but the Fido Alliance has a FAQ that answers questions like this. I think this one is answered here:
How does the user sign-in if a FIDO credential for the RP is not already available on the device?
This is best understood with an example: say the user has an Android phone where they already have a credential for the RP. Now they want to sign-in to the RP’s website on a Windows computer where they have never signed into the website before.
For existing devices, the user will point their browser to the RP’s website on the Windows computer. They see a ‘sign-in’ button on the login web page and hit that button.The user sees the option to add a new phone or use a previously paired one. If the user selects the paired phone and the phone is physically close (in BLE range) to the Windows computer the user sees a pop-up from the Android OS asking in essence “I see you are trying to sign-in on this nearby computer, here are the accounts I have. ” The user chooses an account at which point the Android OS asks “Please perform your unlock to approve sign-in to the computer with this account ”. The user performs the unlock and they are signed-in to the website
Alternatively, the user can use a security key that has been enrolled with the RP. In this instance, the user will point their browser to the RP website on the Windows computer. They see a ‘sign-in’ button on the RP’s login web page and hit that button. When the RP asks for FIDO authentication, the user is able to insert or tap their Security Key to unlock and they are signed-in to the website.
The flow described in this example would work regardless of the OS the user’s mobile phone is running and the OS and browser available on the target device for login (eg, computer, tablet, TV etc). The target user experience is very similar to that of a Phone Approval prompt commonly used today as a second-factor today. The crucial difference is that the approval is now phishing-resistant — this is because, when you approve a login on another device on a conventional phone approval, you don’t really know whether your other device is pointed to the correct website or a look-alike phishing site relaying information in real-time. In addition, the mobile phone approval also replaces the password (as opposed to being used as a second factor adjunct).
3 Likes
Thanks, that does sound like it would address that use case. I realise I should have read through the FIDO site, but I didn’t have time when I was reading this thread earlier, so thank you for taking the time to do so and extract the information. Great that they’re thinking through the various edge cases. I’m not sure I believe everything will work that smoothly between different devices and OSes (history doesn’t instil much confidence!), but if it does that’s excellent!
I agree. I think Apple’s website already supports Passkeys, and logging into it from my devices with TouchID or FaceID is quick and convenient without having to enter a user name, password, and second-factor code. If Apple, Google, and Microsoft manage to replicate this experience across the internet, it’ll be a very welcome change.
2 Likes
Yes, and in fact on my 2015 MacBook Air without TouchID I can log in to my Apple ID from Safari with just my computer account password rather than with my AppleID passphrase on Monterey - a perfect example of how FIDO might work if you don’t use biometrics.
1 Like
I’ll look forward to further developments then, including addressing the concerns associated with lost or stolen devices and the use of PINs. I also look forward to see how this scheme is utilized with the millions of U.S. government users, as well as multiple EU government users.
Hopefully there will be a lower-cost, non-subscription alternative. . . Perhaps a dedicated YubiKey.
I don’t want to see people who do not want or cannot afford a smartphone to feel compelled to join the crowd. But it is getting difficult to live even a partially-disconnected lifestyle.
1 Like
My wife has been a gardener for over 40 years while very rarely wearing gloves. Her fingerprints are essentially kaput and we could not get Touch ID to work on her iPhone. We recently upgraded to the 2022 SE3 and it does not offer Face ID as an option. Fortunately, neither of us mind relying on a 6 number code to access Apple Wallet, etc.
Eventually. When the spec is finalized and there are interoperable implementations and the bugs have been fixed. But as with all major changes to network infrastructure, there will be some bugs and some early adopters will encounter painful problems before they are fixed.
But hopefully, no major web sites will force you to transition to it before the tech matures.
I think the biggest problem is going to be for people like my parents, who do not have smartphones and do not want to get them. They are very happy with land-lines and simple mobile feature-phones. They might be able to use FIDO via an app on their computers, but that won’t help when traveling.
Based on what I’ve read so far, the biometrics are not your authentication key. The keys are generated randomly (similar to SSH private/public keys). The biometrics are used to securely store your private keys on your phone.
Assuming this is true, then there won’t be any political/privacy concerns that don’t already exist with today’s keychain technologies.
But, of course, this assumes that the implementation matches my understanding. If the biometrics are actually sent to some central server (no matter who runs it), then I agree with you 100%.
Thanks to @ddmiller for sharing the text about this.
It looks similar to the way 2FA systems work.
With 2FA, you log in, then the server asks for a device-generated code. Or (in the case of some), it sends a packet to a registered device and a companion 2FA app pops up a message asking if you want to approve the login.
The FIDO system looks similar, but without the password. You identify yourself and then the server contacts your trusted device (which you associated when creating the account), which asks if you want to log in or not.
1 Like
ssa.gov allows both id.me and login.gov. medicare.gov doesn’t use either yet. va.gov also allows both along with DS Logon. There are a couple of other sites that use one or both, but can’t recall which at the moment.
Those of us who get old also are vulnerable to vision limitations, and smartphones are terrible for that. After cataract surgery I can see without glasses for the first time since I was 11, and have no problems driving, reading a newspaper or paper book, or using a computer. However, reading tiny type on a small screen is difficult to impossible. When AT&T turned off 3G they gave me a 4G flip phone, but the display lettering is so small I can’t read the caller ID it until I put my reading glasses on; about its only good feature is the HDVoice sound. I can appreciate smartphones as elegant technology, but their user interface doesn’t work for me. It gets rather annoying.
1 Like
YubiKeys do indeed work with FIDO as a roaming authenticator. The disadvantage is you need two YubiKeys in order to have a backup. Many users will already have a smartphone that can offer a level of user experience Yubikeys can’t.
Hi Jeff,
It’s OK to want what you want. I’m sure you are well aware that a flip-phone is not a smartphone, which can have a much larger screen. My iphone announces who is calling (and I don’t accept calls from “Unknown caller”), so I don’t need to look at the caller ID.
Much of this thread is about fear of change. I hate changes at my age.
However, my attempts to stay safe in a world that changes (whether I want it or not) will someday fall short. My ability to keep up with the threats will diminish as I get older. And I can tell from some of the comments that it is difficult to understand an unfamiliar technology.
I’ll happily go beyond passwords for something more secure and easier to use.
2 Likes