"Ultimately, in such a world, sites only operate on a single bit of information about any registration: was this public-key generated in a certified device or not? The FIDO Alliance wants to run the certification process, so then the problem reduces down to providing that bit to the site."
Are we really building a web where a single organisation gets to decide which devices people can use to access any website securely? I don't know if that's worse than a web where individual sites can say "Only Windows/Android/iOS/WeChat users can create accounts here".
Before long, the requirements for a "secure" device will be one which effectively implements something like DRM (i.e. has secret signing keys outside of your control), probably requiring biometrics (iris scan or fingerprint), and possibly phoning home to a government or corporation, to check for firmware updates or revocation information (i.e. a kill switch, like in AACS).
I think you can swap out FIDO in the role of certification for any other group willing to run the process of certifying devices, so it is basically just CA style PKI for client certs again but with an initial attempt at a free CA.
I think FIDO specifications and most organizations feeling pressure to at least support devices they approve would mostly be good for the user.
The rate FIDO will introduce more invasive behavior instead of user benefiting behavior before there is a version too common for most sites to reject is going to be related to the level proprietary dongles issued by Banks, etc, remain acceptable.
In the FIDO case, the consumer actually is the customer, so negative features will have to arrive by vendors fighting their own customers interests, and pushing institutions to reject their older devices. I think they probably will, but not at the rate they can fight users when the institution is the customer.
A likely scenario is that, just as with mobile OSes or browsers, there will be effectively an oligarchy or cartel of approved FIDO device manufacturers, who will end up setting the rules to make it hard for new manufacturers to join the trusted set.
This is basically a huge coordination problem, and there are natural barriers to entry against becoming a globally accepted provider of hardware which websites are prepared to trust.
History has shown that, as long as a market appears to have two options, people will be content to choose the lesser or two evils rather than invest time and effort into changing the system to add more options.
So far it doesn’t seem to be the case. FIDO has done a great job of pushing the standard adoption, and finally even Safari/Apple seems to be supporting it.
On the device side, there are also open source solutions (disclaimer: I work on SoloKeys).
Other than Vanguard, Amazon AWS also temporarily launched support for fido2/u2f only with yubikeys, but soon after they relaxed the requirements. It might be just a marketing/co-sponsorship move.
This is not to say that the risk isn’t there, but support for anonymous attestation is certainly a great feature, and it’s already available (though, not sure if implemented).
I have to say, the short description of arithmetic circuits in elliptic curve finite fields in this blog post is probably one of the clearest and most concise I've seen. Bravo!
As for the problem of user-agent sniffing, well, it is done for a reason. Probably there's less of it these days than there used to be as browsers got better and more standards compliant. I'd be interested to know why Vanguard restrict to YubiKeys, perhaps someone from the FIDO alliance can find out.
That big financial site would be Vanguard which only allows Yubikeys for U2F. Blogger is/was a Googler right? I heard they use them for their retirement accounts.
Vanguard has recently moved to require[0] some form of 2FA for online account access, probably in an attempt to either improve security (optimistic) or shift liability for phishing to consumers (cynical). They do this by forcing[0] you to sign up for SMS 2FA initially, which as informed readers should know, is total crap for 2FA and frequently hijacked by bad actors. I'm not a fan of this policy.
[0]:
> When it comes to account security, everyone has a role to play. So we're now requiring you to sign up to receive security codes. These codes provide a type of 2-step verification that adds an extra level of security to your accounts.
You can avoid signing up for 2FA after login by clicking "Get started," then "Cancel" without marking that you agree to the terms, and then manually navigating to your desired URL, e.g., https://personal.vanguard.com/us/myaccounts/balancesholdings .
As a 2nd or 3rd factor SMS is usually fine. Hijacking a text message is still an "extra hurdle" that improves security over just a password. The problem comes when a site allows account resets over SMS because then they've just traded one single factor (a password) for another weaker one (SMS).
> As a 2nd or 3rd factor SMS is usually fine. Hijacking a text message is still an "extra hurdle" that improves security over just a password
Perhaps, but often 2FA is leaned on to reduce the significance of the primary factor or shift liability.
> The problem comes when a site allows account resets over SMS because then they've just traded one single factor (a password) for another weaker one (SMS).
Yeah, exactly — that would be one way some "2FA" systems weaken the primary factor.
Direct Anonymous Attestation (DAA) has the extra feature that signature computation can be split between trusted device and host. How does this compare?
There are various groupish signature systems (including DAA and BBS[1]) that would probably be a better answer here, _if you controlled the signers_. But, in this context, the devices have shipped and they do P-256 ECDSA. So the question then becomes, what _can_ we do without being able to change the signers? Can we plausibly retrofit something onto them?
I see, thank you for the clarification. I was just surprised to read it takes several seconds on a 4GHz cpu. For example the chip we’re using in Solo is a STM32 at 80MHz so it’s prob impractical (But in fairness I don’t have numbers on DAA either.)
Are we really building a web where a single organisation gets to decide which devices people can use to access any website securely? I don't know if that's worse than a web where individual sites can say "Only Windows/Android/iOS/WeChat users can create accounts here".
Before long, the requirements for a "secure" device will be one which effectively implements something like DRM (i.e. has secret signing keys outside of your control), probably requiring biometrics (iris scan or fingerprint), and possibly phoning home to a government or corporation, to check for firmware updates or revocation information (i.e. a kill switch, like in AACS).