Mike, I was leaning the other way. Since the NIST approach is forcing us to build loopholes in our criteria, I continue to think that being more specific limits the risk of ‘another version "born" outside of FIDO.’ NIST has been open about their lack of concern for assessable criteria, and building “flexibility/ambiguity” may make sense from their perspective; perhaps not from ours. As written, the current guidance seems to be that Cryptographic Software Authenticators can now ignore the prohibition against “facilitate the cloning of the secret key onto multiple devices,” if they implement other controls that WE CANNOT assess. I assume this is predicated on risk assessments performed by NIST on FIDO implementations and not hypothetical future protocols. So, I’m thinking maybe we should consider retaining our limitation. Someone comes up with a new approach, we can update again. Even at our glacial pace, we’re still more agile than NIST. 😊 jimmy From: Mike Magrath <mmagrath@easydynamics.com> Sent: Thursday, November 21, 2024 12:09 PM To: IA WG <wg-idassurance@kantarainitiative.org> Subject: [WG-IDAssurance] Re: Proposed Passkey notice criteria A couple of comments... * My one big comment was already taken care of in the latest draft. That being removing reference to FIDO as NIST didn't want to limit it to FIDO syncable passkeys only should another version be "born" outside of FIDO. * The term "passkeys" should not be capitalized. * The text reads, "the use of any variant of Passkey".... While the 800-63B supplement is specific to syncable authenticators (syncable passkeys), the current text in the notice "any variant" implies it applies to both syncable and device-bound passkeys. If that is the case, we should clearly state that. If it is only applicable to syncable authenticators then we should clearly state that. Regards, Mike Michael Magrath (he/him) | Director of Identity Policy and Industry Relations | Easy Dynamics Corp<http://www.easydynamics.com/> mmagrath@easydynamics.com<mailto:mmagrath@easydynamics.com> | 703-944-1090 ________________________________ From: Richard G. WILSHER (@Zygma Inc.) <RGW@Zygma.biz<mailto:RGW@Zygma.biz>> Sent: Thursday, November 21, 2024 10:47 AM To: IA WG <wg-idassurance@kantarainitiative.org<mailto:wg-idassurance@kantarainitiative.org>> Subject: [WG-IDAssurance] Proposed Passkey notice criteria I believe that the list of criteria which should be referenced in the proposed notice are as follows: 63B# - 0410, 0420,0430, 0440, 0450, 0460, 1150, 1160, 1210, 1220, 1230, 1240, 1270, 1280, 1290, 1300, 1310, 1320, 1330, 1450, 1460, 1470, 1480, 1490, 1500, 1510, 1520, 1530, 1540, 1550 These have been previously brought to the IAWG’s attention when we were meddling with the actual text of some of these. Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz<http://www.Zygma.biz> +1 714 797 9942