Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Some thoughts on...biometrics and FIDO

From: Dave Aitel <dave () immunityinc com>
Date: Tue, 29 Oct 2013 14:09:16 -0400
So I got to watch a presentation on FIDO
<http://www.usatoday.com/story/cybertruth/2013/10/28/qa-implications-of-the-coming-of-biometric-wave/3286381/>yesterday.
They're an "industry group" (tm) which is pressing forward a standard
for doing authentication from mobile devices to websites. Their goal is
to define a protocol where you create a certificate (they refuse to call
it a cert, but it's an RSA key) which you secure locally on your device
via a thumbprint (or private-parts print, if you're Nick
<http://www.tomsguide.com/us/iphone-fingerprint-scanner-test,news-17587.html>).
Then you present a little XML file with "<I used a thumb print><here is
my cert>" to websites which ask for it. They go look for your cert in
their private DB of certs, and authenticate you. And your user
experience is simply opening up the website, and pressing your thumb to
something.

Here's some issues with it:

1. The name should really be "FIDONet", for the old timers, right? :>
2. They have PayPal and Google on board. Google already has
google-wallet, and PayPal has paypal and they're competitors and they're
missing the other big player in the mobile space....Apple. Without
Apple, I don't see this going anywhere, and I don't see Apple joining
them, so it's a bit of a dead end. Once they GET Apple they then have to
get both Microsoft and Apache.
3. The technology itself is too simple. There's really nothing to keep
someone from collecting the certs off a phone and re-using them.

And in summary, everyone wants remote attestation (aka,
PALLADIUM/NGTCB), but nobody appears to have read or understood the
NGTCB documents who is working in this space. (Or they've read 'em, and
they're ignoring them because of business reasons, which is more likely.)

-dave

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: