Phishing-Resistant Authenticator Proposed Updates #798
Description
Description of Issue:
Consider these updates in the next playbook update.
- The phishing-resistant authenticator playbook should mention attestation and meta data. Right now it's ambiguously mentioned in the call-out on BYOA. Reference: https://fidoalliance.org/fido-technotes-the-truth-about-attestation/
- In the Key Terms section the FIDO Passkey definition should be updated. For better or worse, the FIDO terms keep changing as they evolve. Now the term "Passkey" means any discoverable credential whether they are exportable or not. So a FIDO credential on a YubiKey or Microsoft's future release of their Authenticator app would be called a "device bound Passkey". A FIDO credential on Google or Apple would be called a "synced Passkey". Yes supper confusing but I think you would just need to change the term to read as:
- FIDO Passkey - A Passkey is a FIDO discoverable credential where the individual unique key may be exportable and shareable between devices and people. Passkeys that are exportable are called synced Passkeys and Passkeys that are not are called device bound Passkeys. Passkeys are controlled by the Authenticator which defines if they are syncable or not.
- I would add the sentence to the Authenticator definition to emphasize its role in Passkeys. "Authenticators control and protect Passkeys"
- Clarify this biometric best practice. It's confusing what it means, maybe give an example. - For multi-factor authentication, always and only use a biometric with a physical device (something you have) and never with a knowledge factor (something you know).
- Deployment section - recommended having a key stakeholder or executive make a video of how to use the new authenticator.
- Deployment section - Have an org rule or policy that the secondary authenticator is used at least monthly so users don't forget how to use it.
- Deployment - specific training for help desk including SOPs.