(no title)
sebk | 2 years ago
In general, the intent of attestation seems to be enterprise use cases where companies want to issue authenticators that meet certain capabilities, and only allow those capabilities as attested by a trusted party. For instance, a company might mandate Webauthn with user verification for their internal systems, and they don't want an employee using a software based virtual authenticator that fakes UV and keeps key material in plain text, so they issue Yubikeys to their staff and only allow Yubikeys to be used for logging in (issued or otherwise, as the RP can't differentiate them). I have not seen a single instance of attestation being used to gatekeep access to an otherwise public service, but I'd like to see some examples if there are any. Enterprise attestation is a different beast, however, and can uniquely identify an individual security key, but this has significant management overhead and will not be seen outside of enterprise use cases.
Now I understand you personally don't value attestation as highly as some other features of WebAuthn and that's fine, I'm on the same boat. However that's the nature of standards and how they come about, there's multiple interests in the working groups. It's hard to say what's the "biggest" security increase because that's entirely relative to the individual or corporation implementing, consuming, or standarizing the functionality.
As to whether there can be a phishing-resistant trust-establishment mechanism, I absolutely agree that there can be. All I'm saying is that there isn't an interoperable one currently, and that it's hard to establish interoperability across vendors and without an online sync fabric (I'd presume most users would want to export key material to a file or otherwise not rely necesarily on a third party phone-home service to export keys). I also think that it exceeds the scope of FIDO and will have to be primarily OS-vendor-driven. For me, personally, this along with something like the recovery extension that Yubico is promoting is one of the potential future features I'm most excited about.
Related, and for the other reason why import/export is hard, which is the reasoning about the ecosystem, I don't think that even with such a mechanism we'll ever be able to export keys out if iCloud Keychain and into KeePassXC. What will most likely happen is that credentials generated by KeePaasXC and backed by hardware, will be able to be imported/exported in/out of devices in the same trust circle, using a KeePassXC sync fabric as the sync mechanism.
danShumway|2 years ago
I would question whether 100k devices is actually a big enough pool to protect privacy. Regardless, that is "an expansion of information", right? It's a pretty decent fingerprinting vector to start with when combined with other device information.
> For instance, a company might mandate Webauthn with user verification for their internal systems, and they don't want an employee using a software based virtual authenticator that fakes UV and keeps key material in plain text
At the point where a company is in that position, they should be supplying their own locked down devices. This is an extremely narrow use case, much more narrow than "I'd like to be able to use this on a Linux machine." And the companies that are in that position have much greater resources to solve that problem by issuing dedicated hardware that's locked down in general. It doesn't need to be part of the spec.
In practice, where this will be used most often is with banking apps, which I've argued elsewhere are not nearly responsible enough to be trusted with this extra information and are usually startlingly insecure. They can get on board with basic security techniques that the rest of the industry has already implemented before we discuss giving them more control over my hardware.
People keep billing this as a compromise, but it's not really. The attestation proponents are asking for a capability that doesn't exist, they're asking for a level of insight into my hardware that login methods have never provided before. The status quo is "no, of course you don't get that." If they want to change the status quo, asking for "compromise" isn't the way to do it, providing real proof that it's not going to be abused (which, I'll mention in a second I don't think is safe to assume) and that it'll provide meaningful security increases is where they should start.
> I have not seen a single instance of attestation being used to gatekeep access to an otherwise public service, but I'd like to see some examples if there are any.
Continuing from the above, I've seen both intent (https://developer.apple.com/forums/thread/708982) and practice (https://arstechnica.com/civis/threads/passwordless-google-ac...).
Also attestation in the form of SafetyNet (https://developer.android.com/training/safetynet/attestation) and the more recent Play Integrity API has been used for DRM in plenty of instances, even for very trivial services like Netflix. So it seems pretty reasonable to extrapolate out that services that already use attestation for DRM today are going to use it when it's available for WebAuthn.
The default assumption ought to be that this is going to be abused. Every instance of attestation in the past has been abused. Why would we just assume that suddenly companies are going to be nice about it?
> However that's the nature of standards and how they come about, there's multiple interests in the working groups.
Right, and the way you force that collaboration is by refusing to go along with standards that are harmful. I'm not part of this standards process, it's their job to build a standard that appeals to me if they want me to use it. If they can't do that, then I won't use it. And I'll advise other people not to use it and I'll tell people (truthfully) that I believe it's a harmful standard. As users/stakeholders, we force collaboration by laying out very clearly where our limits are so we can focus on finding solutions that solve multiple use-cases.
I'm willing to compromise on a lot of stuff. Not this. If the big stakeholders also aren't willing to compromise on it, then we'll stick with passwords. That's fine with me. The FIDO group doesn't have an inherent right to have people pay attention to them. It's their job to come up with a standard that's good enough that people want to pay attention to it.
> All I'm saying is that there isn't an interoperable one currently, and that it's hard to establish interoperability across vendors and without an online sync fabric
Some of us would argue that is also entirely the FIDO Alliance's problem to solve given that they exist to build the FIDO standard and are the most invested party in getting the rest of us to adopt their solution.
Normally when people get together to build Open standards, they start with an Open implementation as a proof of concept. FIDO Alliance seems to be under the impression that it's everyone else's problem that nobody has built an Open implementation of their "Open" spec for them. That's just not how this should work.
> and will have to be primarily OS-vendor-driven
It's a good thing that all of those OS-vendors are part of the FIDO Alliance and are currently involved in a process that provides them with a great opportunity to sit down with each other and hash this out then.
> What will most likely happen is that credentials generated by KeePaasXC and backed by hardware, will be able to be imported/exported in/out of devices in the same trust circle, using a KeePassXC sync fabric as the sync mechanism.
That wouldn't solve any of my problems; the sync fabric isn't the important part -- I want to control my own keys. What does an "Open" sync fabric that restricts keys to specific devices even look like? That's certainly not Open in the sense that I control the sync fabric or can compile/change it myself.
sebk|2 years ago
I can't comment on the intent link, as there's no information. But the "practice" link is simply incorrect. Google does in fact allow a Yubikey to be used as a passkey, I have one configured myself. It shows up as "FIDO2 security key". What I assume is happening in that link you sent is that the user's yubikey does not have a PIN set for the FIDO2 interface, which means that it can't provide user verification and therefore is not a passkey as far as Google is concerned. This is the kind of reasoning about the capabilities of the authenticator that I was talking about, and it doesn't have to do with attestation.
> it's their job to build a standard that appeals to me if they want me to use it
They're appealing to OEMs, vendors and service providers as well. I also don't quite see how merely having attestation in the standard is harmful. RPs and users can chose not to require or provide it. If RPs decided they needed it for malicious purposes, would not having it in the standard suffice for them to be benign?
> That wouldn't solve any of my problems; the sync fabric isn't the important part -- I want to control my own keys.
It would, because then the sync fabric is free to provide you with an exported version that's wrapped in a key of your choosing. It's open in the sense that any one software can import/export keys out of hardware devices that are currently restricted to the hardware vendor.