Dailydave mailing list archives
Some thoughts on...biometrics and FIDO
From: Dave Aitel <dave () immunityinc com>
Date: Tue, 29 Oct 2013 14:09:16 -0400
So I got to watch a presentation on FIDO <http://www.usatoday.com/story/cybertruth/2013/10/28/qa-implications-of-the-coming-of-biometric-wave/3286381/>yesterday. They're an "industry group" (tm) which is pressing forward a standard for doing authentication from mobile devices to websites. Their goal is to define a protocol where you create a certificate (they refuse to call it a cert, but it's an RSA key) which you secure locally on your device via a thumbprint (or private-parts print, if you're Nick <http://www.tomsguide.com/us/iphone-fingerprint-scanner-test,news-17587.html>). Then you present a little XML file with "<I used a thumb print><here is my cert>" to websites which ask for it. They go look for your cert in their private DB of certs, and authenticate you. And your user experience is simply opening up the website, and pressing your thumb to something. Here's some issues with it: 1. The name should really be "FIDONet", for the old timers, right? :> 2. They have PayPal and Google on board. Google already has google-wallet, and PayPal has paypal and they're competitors and they're missing the other big player in the mobile space....Apple. Without Apple, I don't see this going anywhere, and I don't see Apple joining them, so it's a bit of a dead end. Once they GET Apple they then have to get both Microsoft and Apache. 3. The technology itself is too simple. There's really nothing to keep someone from collecting the certs off a phone and re-using them. And in summary, everyone wants remote attestation (aka, PALLADIUM/NGTCB), but nobody appears to have read or understood the NGTCB documents who is working in this space. (Or they've read 'em, and they're ignoring them because of business reasons, which is more likely.) -dave
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Some thoughts on...biometrics and FIDO Dave Aitel (Oct 29)