The ORIGINAL referenced 63B# criteria:
• 0410, 0420, 0430, 0440, 0450, 0460;
• 1150, 1160;
• 1210, 1220, 1230, 1240;
• 1270, 1280, 1290, 1300, 1310, 1320, 1330;
• 1450, 1460, 1470, 1480, 1490, 1500, 1510, 1520, 1530, 1540, and 1550.

 

 

 

I concur that the language should be reviewed to make clear that the use of the “In scope – Not applicable to Passkeys” caveat is specific only to criteria as it relates to the use of FIDO passkeys.

 

I would also note that the notice includes the following:  “Kantara Initiative is in the process of assessing the risks and defining such criteria that will provide the necessary confidence that compliance can be met. Until that is completed and communicated, …”  I think we should consider if that is accurate and update accordingly. 

 

With regard to criteria,

 

• STRIKE 0410, 0420, 0430, 0440, 0450, 0460 – strike these from the notice.  They are memorized secret/password criteria and not applicable to Cryptographic Device Authenticators.  They are referenced by the Cryptographic Device Authenticator criteria in 1290 and removed from applicability for passkeys when the notice strikes 1290.  Referencing them in the notice only risks a CSP thinking they may be ignored accidentally.
• ADD 1130, 1140, 1170– it is not clear why they were left out.  These controls appear to be local to the user device and outside the assessment scope
• KEEP 1150, 1160, 1210, 1220, 1230, 1240; - It should be noted that these are Single-Factor Cryptographic Software authenticator criteria.  While we may assume that passkeys are multifactor; technically the authenticator does not indicate.
• ADD 1250, 1260 – it is not clear why they were left out
• KEEP 1270, 1280, 1290, 1300, 1310, 1320, 1330
• KEEP 1450, 1460
• STRIKE 1470, 1480, 1490, 1500, 1510, 1520, 1530, 1540, and 1550.  - Strike these from the notice.  They are biometric criteria and not applicable to Cryptographic Device Authenticators.  They are referenced by the Cryptographic Device Authenticator criteria in 1310 and removed from applicability for passkeys when the notice strikes 1310.  Referencing them in the notice only risks a CSP thinking they may be ignored accidentally. (If they are to be included (1505 may need to be added
• ADD 1710 Throttling attempts for passkeys would be local to the device
• I’m not sure if the use of the 5 dot points has some hidden meaning

 

 

 

More specifically, WRT to the inclusion of 0410 – 0460; I suggest we consider how these would have been handled say two years ago, before passkeys were an issue. If you are not using passwords/Memorized secrets,  or one time password devices, or multi-factor cryptographic hardware, you simply Mark those criteria as in scope not applicable.  In the scenario where they are using passkeys but not passwords the caveats of the notice apply. In the scenario where they're using passwords but not pass keys the criteria is there to be addressed.  The trickiest aspect is a system using both; I think it is best for the notice to not call out those things that are dismissed under the heading of the cryptographic software criteria. Let them make that calculation; rather than them assuming that these rules do not apply at all (or to their passwords) because they are using passkeys

 

 

 

 

 

 

 

 

Jimmy Jung www.Slandala.com 703 851 6813