I think we must retain the language used by NIST (at least) otherwise readers will have no way to link up the text. "device bound passkey" is the other form of passkey. Is Notice KI#2024-01 intended to cover scenarios in which an implementation of syncable authenticators are NOT FIDO Passkeys? As an assessor that holds the accountability for your assessment quality, how would you handle this? ———————— *Andrew Hughes *CISM m +1 250.888.9474 AndrewHughes3000@gmail.com On Mon, Nov 11, 2024 at 9:40 PM Jimmy Jung <jimmy.jung@slandala.com> wrote:
Yes – since the whole thing is in a gray area and we cannot see any of it; I went with the fuzzy FIDO words. I have yet to understand why “synchability” was the item they chose to focus on; when there were so many other criteria that also caused issues, so I am hesitant to use that as the distinction. NIST appears to want the acceptance of “non-synching” passkeys as well. I would suggest reaching out to the FIDO experts we were talking to when we first got into this to see if they might suggest a concise method for distinguishing these things. In the meantime, perhaps we could just say, “FIDOTM Passkeys refers to authenticators using the FIDO2 standards”? That seems to be how the alliance talks about it ( https://fidoalliance.org/specifications/)
*Notice KI#2024-01: Accommodation of Passkeys*
Use of FIDOTM Passkeys presents difficulties in assessing criteria for which the CSP is unable to provide evidence of conformity because the criteria address functions which are beyond the control or visibility of the CSP. Consequently, KI’s Assessors are unable to determine meaningful findings with regard to such criteria. *FIDOTM Passkeys refers to authenticators using the FIDO2 standards. *
Furthermore, industry is faced with widespread adoption of FIDOTM Passkeys which have been identified as a valuable improvement over password authentication. Their very ubiquity establishes them as a significant technology, such that they cannot be ignored.
Accordingly, CSPs which deploy FIDOTM Passkeys shall mark the criteria listed below as having the following applicability:
“In scope – Not applicable to FIDO Passkeys Refer to Notice KI#2024-01”
*List of affected criteria*
The lack of a means to effectively assess such solutions and therefore their exclusion from the scope of a Kantara Initiative Grant of Approval carries a degree of unassessed risk within services applying this Notice. Therefore, Kantara Initiative *strongly recommends* that CSPs that use FIDOTM Passkeys provide to their service consumers and users notice of their use of FIDOTM Passkeys and stress that that these include NIST SP 800-63 requirements that cannot be controlled or monitored by the CSP.
*From:* Richard G. WILSHER (@Zygma Inc.) <RGW@Zygma.biz> *Sent:* Sunday, November 10, 2024 12:40 PM *To:* 'IA WG' <wg-idassurance@kantarainitiative.org> *Subject:* [WG-IDAssurance] Re: Draft Notice re. FIDO Passkeys
I’m OK with that in principal BUT took care in that refined draft NOT to use the word ‘conformant’, or any derivative thereof, in connection with the actual implementation of these synch.authrs. So how about something evasive like “Synch.authrs. implemented using the FIDO specification <<name here>>”, by which we make not even the slightest suggestion on KI’s part concerning the implementation’s state of conformity.
Replying just to IAWG will kill a bit of traffic J
*Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz <http://www.Zygma.biz> +1 714 797 9942*
*From:* Andrew Hughes [mailto:andrewhughes3000@gmail.com <andrewhughes3000@gmail.com>] *Sent:* Sunday, November 10, 2024 17:09 *To:* Richard G. WILSHER (@Zygma Inc.) *Cc:* IA WG *Subject:* Re: [WG-IDAssurance] Re: Draft Notice re. FIDO Passkeys
we might want to phrase it something like "Syncable authenticators implemented in conformance with FIDO (specification name here)..."
Because "FIDO Passkeys" is not a real thing - that's a marketing name.
————————
*Andrew Hughes *CISM m +1 250.888.9474 AndrewHughes3000@gmail.com
On Sun, Nov 10, 2024 at 9:04 AM Richard G. WILSHER (@Zygma Inc.) < RGW@zygma.biz> wrote:
+1
*Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz <http://www.Zygma.biz> +1 714 797 9942*
*From:* Jimmy Jung [mailto:jimmy.jung@slandala.com] *Sent:* Sunday, November 10, 2024 13:08 *To:* Carol Buttle; Richard G. WILSHER (@Zygma Inc.) *Cc:* IA WG *Subject:* RE: [WG-IDAssurance] Re: Draft Notice re. FIDO Passkeys
Correct me if I am wrong, but FIDO (or WebAuthn) is the standard used by apple, Google, MS, etc.
I had suggested specifically calling out FIDO. While these seem to be the focus of the NIST supplement, NIST used the generic "synchable authenticators." My concern was, we are opening up a loophole in the criteria, so we may want to be more restrictive.
Sent from my Verizon, Samsung Galaxy smartphone
-------- Original message --------
From: Carol Buttle <carol@kantarainitiative.org>
Date: 11/9/24 8:12 PM (GMT-05:00)
To: "Richard G. WILSHER (@Zygma Inc.)" <RGW@zygma.biz>
Cc: IA WG <wg-idassurance@kantarainitiative.org>
Subject: [WG-IDAssurance] Re: Draft Notice re. FIDO Passkeys
Hi Richard,
Thanks for this.
Are we only talking about FIDO here?
Are Apple or Google passkeys should they find their way in anymore assessable?
Carol
On Sat, Nov 9, 2024 at 12:41 AM Richard G. WILSHER (@Zygma Inc.) < RGW@zygma.biz> wrote:
Further to the action Jimmy gave me during yday’s IAWG call, pfa a first draft for comment of the notice which was proposed.
It has been back and forth between Jimmy and myself and is improved from yesterday’s hasty effort. The list of applicable criteria is yet to be definitively produced, but I believe that the list is of secondary importance to the body of the notice, hence its early provision.
I will follow-up with a further version including the list, but that will be later into next week.
Bon weekend a tous,
*Richard G. WILSHER CEO & Founder, Zygma Inc. www.Zygma.biz <http://www.Zygma.biz> +1 714 797 9942*
_______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance
_______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance _______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-IDAssurance mailing list -- wg-idassurance@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantara... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-IDAssurance