Did they improve the stories for recovery ("I lost my device") and revocation ("my device has been stolen")? As far as I knew you had to buy 2 devices to have a chance of recovery, and Fido 1 explicitly said "revocation is something that needs to be resolved by each website that authenticates users", which is just asking for trouble.
I would love to have a hardware (or even phone-based) alternative to passwords, with no third-party and better privacy, but I feel like this solution only handles the happy path.
For an example of a happy-path-only system that makes me nervous, look at Google Authenticator. Recovery is made with backup codes, but they are also "resolved by each website" (https://security.stackexchange.com/questions/167563/where-to...), which often means no support at all. Not to mention having to create a new backup after creating a new account. I still use Google Authenticator myself, but I dread the day I lose my phone.
If the protocol doesn't handle recovery/authentication, the fallback is a trusted third party (e.g. email) or legal identity (e.g. scanned passport). Aside from being a huge hassle and creating a weak point, it weakens the user's privacy.
Every place that I use my key gives you a set of one-time-use recovery codes. To log into your account, you can use either the key or a code. (You still need your password.) Codes can be regenerated at any time. To revoke a key, you simply remove it from your account.
You have to make sure the attacker cannot revoke your key first. If the backup code is unrevokable, then it is indeed a nice solution, albeit a high-friction one if you are doing safe backups for each new account.
It sounds like this is targeted at machines that are attached to Active Directory, in which case the fallback is the same as before (you call a help desk/sysadmin, and they "reset your password" aka verify your identity and give you a new security key).
> I still use Google Authenticator myself, but I dread the day I lose my phone.
I use KeePassXC, and always add the Google auth code to both my phone and KeePassXC, and I back up my password DB (got burned big time there once....).
But yeah, your point is valid. As a tech savvy guy who thinks about this stuff, it's a pain but works. But for most people manually managing and backing up multitudes of keys, passwords, and login data is just so ridiculous a thing to ask that I can't believe it's 2018 and we haven't solved this yet. There must be a better way!
Re Google Authenticator, as an alternative have you tried Authy? It offers a far better UX, and if you lose your phone you can easily get everything back without doing a backup/restore before hand. Plus you can run it on as many devices as you require, including desktops.
I may be missing something, but Authy seems to me to break one of the main points of 2FA, which is that password breach doesn't give an attacker access to your accounts. If your Authy credentials are compromised, an attacker has access to all of your seeds and can generate codes.
Neither of those problems (lost key, compromised key) are anything new. Why wouldn't sites just handle them the same way they currently handle revoking/resetting passwords?
99% of the websites (I have accounts on) rely on my email for recovery and revocation. But my inbox is not an impenetrable fortress, it's a communication channel; every device I own has access to it, and could be used as a backdoor to my entire digital life.
Then there's the risk of the third-party (Google banning me, being hacked, subpoena'd, etc), the privacy factor (see the Ashley Madison leaks), the often custom code implemented by each website...
Good point. I think these specific problems were somewhat solved by other protocols, such as SQRL, but you are absolutely right, FIDO + email is much better than password + email.
I would love to have a hardware (or even phone-based) alternative to passwords, with no third-party and better privacy, but I feel like this solution only handles the happy path.
For an example of a happy-path-only system that makes me nervous, look at Google Authenticator. Recovery is made with backup codes, but they are also "resolved by each website" (https://security.stackexchange.com/questions/167563/where-to...), which often means no support at all. Not to mention having to create a new backup after creating a new account. I still use Google Authenticator myself, but I dread the day I lose my phone.
If the protocol doesn't handle recovery/authentication, the fallback is a trusted third party (e.g. email) or legal identity (e.g. scanned passport). Aside from being a huge hassle and creating a weak point, it weakens the user's privacy.