Your post is very timely
@Jim Reavis. While developing the planning training module (5) we have been kicking around examples. The movement of passwords to passwordless as part of a Zero Trust journey might be one of the easier examples for the student to grasp. I'll propose some language to the rest of the group. Thank you for placing it on the radar.
To the broader question, I do not see how CSA can ignore Passkeys or FIDO in its research. It seems to me, the question is to what extent. I do not know the answer but the answer lies in the needs of the constituents and CSA's strategy. Maybe the place to start is with the basics. Historically, the thinking has been a combination of (1) what you know (e.g., password), (2) what you have (e.g., token), and (3) who you are (e.g., thumbprint) are sufficient. Behavior and geography now play a significant role, especially with a remote workforce. Maybe a short thought piece on how things have changed?
------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]------------------------------
Original Message:
Sent: Oct 27, 2022 12:35:38 PM
From: Jim Reavis
Subject: Passkeys as a component of Zero Trust
Hi All,
I had one of the founders of FIDO Alliance reach out to me about Passkeys, a mechanism for enabling FIDO authentication.
Lots of news in the past few days about its adoption, this seems like it could be a significant development in eliminating passwords and an important means for implementing Zero Trust principles, particular on the client side. Should we reference it in our research?
https://arstechnica.com/information-technology/2022/10/passkeys-microsoft-apple-and-googles-password-killer-are-finally-here/
https://fidoalliance.org/passkeys/
------------------------------
Jim Reavis CCSK
Cloud Security Alliance
Bellingham WA
------------------------------