Without making any explicit argument for it, what I see coming out of Fido and U2F are really changing the importance of the long-standing "something you have, something you know..." mindset around security. That prior mode was not helping us design system that take human capabilities of the user into account.
Prior security seemed to focus entirely on attackers, and their agency, and what they could potentially do. But we also need to pay attention to what users can do in order to build a secure system. Requiring users to read domain name strings, potentially in Unicode, every time, and make sure they are correct, to prevent phishing, is a really bad design. Instead, have the website authenticate themselves to the user, automatically, and have the machine do the string comparisons.
Similarly, the distinction between user and password for a biometric doesn't make much sense in this case. It's neither. The user is identified by a different mechanism, the biometric is merely a way for the device to see that the user is there.
There are always lots of attack modes for biometrics, but they are convenient and good enough to capture nearly all common and practica attack modes. And a huge problem of the 90s and 2000s security thinking was focusing on the wrong attack modes for the internet age.
> Without making any explicit argument for it, what I see coming out of Fido and U2F are really changing the importance of the long-standing "something you have, something you know..." mindset around security. That prior mode was not helping us design system that take human capabilities of the user into account.
Don’t think that’s quite true. It’s continuation of the old “something you know”, “something you have” and “something you are” authentication factors, and the idea that at least two factors should be used to authenticate.
The username/password approach is only a single factor, “something you know”.
Common 2FA solutions use “something you know” (you’re password) and “something you have” (a device proven via OTP or SMS).
FIDO with biometrics trades all that for 2FA driven by “something you are” (biometrics) and “something you have” (you’re devices Secure Enclave).
You don’t send you biometrics to the service your authenticating with. Rather you’re using your biometrics to prove “something you are” to your device, which your device then mixes with a private key which proves you’re in possession of a known device. All of that is then used to authenticate with your service.
In order to enable a cloud synced private key, you need the syncing process to require 2FA to enable new devices. The 2FA process can be clunky and slow, because you only need to do once per device enrolment. Indeed it’s need to be clunkier, because you don’t have a biometric factor available for use, as the enrolment process is normally used to onboard both a device and a device specific biometric factor.
After that you’re device becomes a know authenticated device, which can be used as “something you have” factor for authentication.
All of this isn’t a change from long standing authentication strategy. It’s just a refinement of process to make the underlying authentication strategy user friendly.
You make very good points! The user focused design work of the FIDO group feels like a large departure of traditional designs, but need not be viewed that way in terms of those elements.
Prior security seemed to focus entirely on attackers, and their agency, and what they could potentially do. But we also need to pay attention to what users can do in order to build a secure system. Requiring users to read domain name strings, potentially in Unicode, every time, and make sure they are correct, to prevent phishing, is a really bad design. Instead, have the website authenticate themselves to the user, automatically, and have the machine do the string comparisons.
Similarly, the distinction between user and password for a biometric doesn't make much sense in this case. It's neither. The user is identified by a different mechanism, the biometric is merely a way for the device to see that the user is there.
There are always lots of attack modes for biometrics, but they are convenient and good enough to capture nearly all common and practica attack modes. And a huge problem of the 90s and 2000s security thinking was focusing on the wrong attack modes for the internet age.