Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Phishing-Resistant Authenticator Proposed Updates #798

Closed
6 tasks done
idmken opened this issue Feb 19, 2024 · 0 comments · Fixed by #805
Closed
6 tasks done

Phishing-Resistant Authenticator Proposed Updates #798

idmken opened this issue Feb 19, 2024 · 0 comments · Fixed by #805

Comments

@idmken
Copy link
Contributor

idmken commented Feb 19, 2024
edited
Loading

Description of Issue:

Consider these updates in the next playbook update.

  • The phishing-resistant authenticator playbook should mention attestation and meta data. Right now it's ambiguously mentioned in the call-out on BYOA. Reference: https://fidoalliance.org/fido-technotes-the-truth-about-attestation/
  • In the Key Terms section the FIDO Passkey definition should be updated. For better or worse, the FIDO terms keep changing as they evolve. Now the term "Passkey" means any discoverable credential whether they are exportable or not. So a FIDO credential on a YubiKey or Microsoft's future release of their Authenticator app would be called a "device bound Passkey". A FIDO credential on Google or Apple would be called a "synced Passkey". Yes supper confusing but I think you would just need to change the term to read as:
    • FIDO Passkey - A Passkey is a FIDO discoverable credential where the individual unique key may be exportable and shareable between devices and people. Passkeys that are exportable are called synced Passkeys and Passkeys that are not are called device bound Passkeys. Passkeys are controlled by the Authenticator which defines if they are syncable or not.
    • I would add the sentence to the Authenticator definition to emphasize its role in Passkeys. "Authenticators control and protect Passkeys"
  • Clarify this biometric best practice. It's confusing what it means, maybe give an example. - For multi-factor authentication, always and only use a biometric with a physical device (something you have) and never with a knowledge factor (something you know).
  • Deployment section - recommended having a key stakeholder or executive make a video of how to use the new authenticator.
  • Deployment section - Have an org rule or policy that the secondary authenticator is used at least monthly so users don't forget how to use it.
  • Deployment - specific training for help desk including SOPs.

Link to the Content Page for Contributors:

https://www.idmanagement.gov/playbooks/altauthn/
@idmken idmken changed the title FIDO Attestation and Metadata Service Phishing-Resistant Authenticator Proposed Updates Feb 20, 2024
idmken added a commit that referenced this issue Feb 22, 2024
@idmken
Update playbook-altauthn.md
fb76ee5 
fixes #798
@idmken idmken mentioned this issue Feb 22, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

0222 - Minor revisions to PRA playbook GSA/idmanagement.gov
1 participant
@idmken