alex.
Original Message:
Sent: Feb 14, 2023 07:03:42 AM
From: Nya Murray
Subject: Passkeys as a component of Zero Trust
It's all very worrying @Dario Salice @Alex Sharpe - BTW thanks for sharing the link on ZT and National Defence Alex.
Here is a recent CISA alert on near misses to Energy Industry ICS/SCADA and other devices FYI
On the subject of energy, particularly alarming is time synchronisation from satellites, currently being targeted. Here is an interesting paper about protecting vulnerable critical infrastructure nodes from this threat authored by faculty members at Politecnico di Torino in Italy - they reference an initiative called Trusted Computing.
Nya
------------------------------
Nya Murray
Director
Trac-Car
Original Message:
Sent: Feb 13, 2023 12:46:49 PM
From: Dario Salice
Subject: Passkeys as a component of Zero Trust
Thank you for sharing @Nya Murray
It's great to see that people are talking - and thinking - about passkey. If we're going with the assumption that passkeys are meant to replace the password during initial authentication, re-authentication, and step-up authentication, we're not changing much on the identity model. Implementing passkeys doesn't mean that existing recovery-methods will disappear.
If people think that passkey is a silver-bullet to solve identity / login issues, then they're going to be disappointed. Even with passkey, there's still going to be a need for (phishing resistant) MFA and other mechanisms to protect the accounts from being compromised.
------------------------------
Dario Salice
Technology Advisor
jenario
Original Message:
Sent: Feb 13, 2023 09:22:22 AM
From: Nya Murray
Subject: Passkeys as a component of Zero Trust
Passkeys and FIDO, while I get it that they are attractive to people wanting a simpler life, they are quite simply, a single point of identity failure.
Remember , the one really good aspect of blockchain is that it was originally designed for non-repudiation, even though there are a number of flaws in the implementation as well as the design.
Quite honestly, it is missing the Zero Trust point if you continue to think there is a simple solution to the biggest growing threat vector, i.e. identity fraud.
The security foundation of trust proof-of-concept with which I am engaging, has three strong and separate authentication methods, at the identity layer, the network layer and the application layer, with payload encryption at all levels, able to be proved to auditors by integration of monitoring logs. Have an offer from a group of ethical hackers to test this out in earnest :)
Edge computing posture supplied by SSE solutions is at best tinkering at the edges (no pun intended), and quite possibly introduces more security holes, if any of the technologies are vulnerable, which they are.
Zero Trust security currently seems like an empty slogan.
------------------------------
Nya Murray
Director
Trac-Car
Original Message:
Sent: Feb 10, 2023 09:46:47 AM
From: Alex Sharpe
Subject: Passkeys as a component of Zero Trust
Welcome, Dario. I have been heads down on other workstreams . If you email me ([email protected]) I will connect you with people who know the status better than me. Cheers, alex.
------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
Original Message:
Sent: Feb 10, 2023 09:02:06 AM
From: Dario Salice
Subject: Passkeys as a component of Zero Trust
I just recently joined this group and am glad to see that passkey is on the radar for your research. Has there been any progress on that since the last post from @Alex Sharpe in October? I'd be happy to contribute to this. I was on the Board of the FIDO Alliance for almost 4 years until I left my position at Meta last October.
------------------------------
Dario Salice
Technology Advisor
jenario
Original Message:
Sent: Oct 28, 2022 10:39:21 AM
From: Alex Sharpe
Subject: Passkeys as a component of Zero Trust
Your post is very timely @Jim Reavis. While developing the planning training module (5) we have been kicking around examples. The movement of passwords to passwordless as part of a Zero Trust journey might be one of the easier examples for the student to grasp. I'll propose some language to the rest of the group. Thank you for placing it on the radar.
To the broader question, I do not see how CSA can ignore Passkeys or FIDO in its research. It seems to me, the question is to what extent. I do not know the answer but the answer lies in the needs of the constituents and CSA's strategy. Maybe the place to start is with the basics. Historically, the thinking has been a combination of (1) what you know (e.g., password), (2) what you have (e.g., token), and (3) who you are (e.g., thumbprint) are sufficient. Behavior and geography now play a significant role, especially with a remote workforce. Maybe a short thought piece on how things have changed?
------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Original Message:
Sent: Oct 27, 2022 12:35:38 PM
From: Jim Reavis
Subject: Passkeys as a component of Zero Trust
Hi All,
I had one of the founders of FIDO Alliance reach out to me about Passkeys, a mechanism for enabling FIDO authentication.
Lots of news in the past few days about its adoption, this seems like it could be a significant development in eliminating passwords and an important means for implementing Zero Trust principles, particular on the client side. Should we reference it in our research?
https://arstechnica.com/information-technology/2022/10/passkeys-microsoft-apple-and-googles-password-killer-are-finally-here/
https://fidoalliance.org/passkeys/
------------------------------
Jim Reavis CCSK
Cloud Security Alliance
Bellingham WA
------------------------------