Thanks JimI've passed this info along to the leads of our ZT Identity and IAM research working groups for awareness and consideration.Initial feedback is favorable. ------------------------------Erik Johnson CCSK, CCSP, CISSP, PMPSenior Research AnalystCloud Security AllianceLeesburg VA------------------------------
I just recently joined this group and am glad to see that passkey is on the radar for your research. Has there been any progress on that since the last post from @Alex Sharpe in October? I'd be happy to contribute to this. I was on the Board of the FIDO Alliance for almost 4 years until I left my position at Meta last October.
Welcome, Dario. I have been heads down on other workstreams . If you email me ([email protected]) I will connect you with people who know the status better than me. Cheers, alex.
Passkeys and FIDO, while I get it that they are attractive to people wanting a simpler life, they are quite simply, a single point of identity failure.
Remember , the one really good aspect of blockchain is that it was originally designed for non-repudiation, even though there are a number of flaws in the implementation as well as the design.
Quite honestly, it is missing the Zero Trust point if you continue to think there is a simple solution to the biggest growing threat vector, i.e. identity fraud.
The security foundation of trust proof-of-concept with which I am engaging, has three strong and separate authentication methods, at the identity layer, the network layer and the application layer, with payload encryption at all levels, able to be proved to auditors by integration of monitoring logs. Have an offer from a group of ethical hackers to test this out in earnest :)
Edge computing posture supplied by SSE solutions is at best tinkering at the edges (no pun intended), and quite possibly introduces more security holes, if any of the technologies are vulnerable, which they are.
Zero Trust security currently seems like an empty slogan.
Thank you for sharing @Nya Murray
It's great to see that people are talking - and thinking - about passkey. If we're going with the assumption that passkeys are meant to replace the password during initial authentication, re-authentication, and step-up authentication, we're not changing much on the identity model. Implementing passkeys doesn't mean that existing recovery-methods will disappear.
If people think that passkey is a silver-bullet to solve identity / login issues, then they're going to be disappointed. Even with passkey, there's still going to be a need for (phishing resistant) MFA and other mechanisms to protect the accounts from being compromised.
It's all very worrying @Dario Salice @Alex Sharpe - BTW thanks for sharing the link on ZT and National Defence Alex.
Here is a recent CISA alert on near misses to Energy Industry ICS/SCADA and other devices FYI
On the subject of energy, particularly alarming is time synchronisation from satellites, currently being targeted. Here is an interesting paper about protecting vulnerable critical infrastructure nodes from this threat authored by faculty members at Politecnico di Torino in Italy - they reference an initiative called Trusted Computing.
Thank you, @Nya Murray. I had not seen the paper out of Italy. Much appreciated.
Hi Dario,Many thanks for the post.As discussed on emails, please let us work together to produce deliverables related to and using research on passkeys.Kind regards,Shruti Kulkarni
we managed to get it over the line and publish the blogpost about passkey
I hope you like the post and let me know if you have any questions.