Yes – since the whole thing is in a gray area and we cannot see any of it; I went with the fuzzy FIDO words.  I have yet to understand why “synchability” was the item they chose to focus on; when there were so many other criteria that also caused issues, so I am hesitant to use that as the distinction.  NIST appears to want the acceptance of “non-synching” passkeys as well.  I would suggest reaching out to the FIDO experts we were talking to when we first got into this to see if they might suggest a concise method for distinguishing these things.  In the meantime, perhaps we could just say, “FIDO^TM Passkeys refers to authenticators using the FIDO2 standards”?    That seems to be how the alliance talks about it (https://fidoalliance.org/specifications/)

 

 

Notice KI#2024-01:  Accommodation of Passkeys

Use of FIDO^TM Passkeys presents difficulties in assessing criteria for which the CSP is unable to provide evidence of conformity because the criteria address functions which are beyond the control or visibility of the CSP.  Consequently, KI’s Assessors are unable to determine meaningful findings with regard to such criteria.  FIDO^TM Passkeys refers to authenticators using the FIDO2 standards.

Furthermore, industry is faced with widespread adoption of FIDO^TM Passkeys which have been identified as a valuable improvement over password authentication.  Their very ubiquity establishes them as a significant technology, such that they cannot be ignored.

Accordingly, CSPs which deploy FIDO^TM Passkeys shall mark the criteria listed below as having the following applicability:

“In scope – Not applicable to FIDO Passkeys
Refer to Notice KI#2024-01”

List of affected criteria

The lack of a means to effectively assess such solutions and therefore their exclusion from the scope of a Kantara Initiative Grant of Approval carries a degree of unassessed risk within services applying this Notice.  Therefore, Kantara Initiative strongly recommends that CSPs that use FIDO^TM Passkeys provide to their service consumers and users notice of their use of FIDO^TM Passkeys and stress that that these include NIST SP 800-63 requirements that cannot be controlled or monitored by the CSP.

 

 

 

I’m OK with that in principal BUT took care in that refined draft NOT to use the word ‘conformant’, or any derivative thereof, in connection with the actual implementation of these synch.authrs.  So how about something evasive like “Synch.authrs. implemented using the FIDO specification <<name here>>”, by which we make not even the slightest suggestion on KI’s part concerning the implementation’s state of conformity.

Replying just to IAWG will kill a bit of traffic  J

 

Richard G. WILSHER
CEO & Founder,  Zygma Inc.
www.Zygma.biz
+1 714 797 9942

 

From: Andrew Hughes [mailto:andrewhughes3000@gmail.com]
Sent: Sunday, November 10, 2024 17:09
To: Richard G. WILSHER (@Zygma Inc.)
Cc: IA WG
Subject: Re: [WG-IDAssurance] Re: Draft Notice re. FIDO Passkeys

 

 

_______________________________________________
A Community Group mailing list of KantaraInitiative.org
WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives --  https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantarainitiative.org/
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance