> I also understand why one would roll this out on phones first
This is Web Authentication/FIDO 2. We've had security keys like Yubikeys to do this for years.
This is about committing to have computing devices also have the functionality of these security keys built in, to synchronize those credentials within a platform ecosystem, and to support cross-platform usage such as an android phone letting you into a site on a windows desktop browser.
The hope is that much higher user availability will cause much higher site adoption.
> At its core, a model of identity would be to create a keypair for each account and require that key sign each login request.
That is exactly how it works. Web Authentication declares a javascript API for site access, and the request and signed authentication response formats/processing.
> That said, I agree with everyone's fears and frustrations with the actual real world circumstances around phones. I do not trust my phone and I don't really trust the most popular projects to make phones more secure.
There is about eight years of hardware in the market you can use rather than your phone. In addition to security-opinionated end-users, it is expected that some portion of enterprises and governments will require a separate hardware key for employee/contractor access - and may even require specifically the one that their IT hands to the person.
> This is Web Authentication/FIDO 2. We've had security keys like Yubikeys to do this for years.
Yes - doesn't the article suggest that this would use FIDO? "According to the FIDO Alliance, users will be able to sign in to websites through the same action that they take multiple times each day to unlock their devices"
I was pointing out that this model - FIDO or some other version - does make sense. Even if the drawbacks of forcing people to use it on phones are obvious.
> There is about eight years of hardware in the market you can use rather than your phone.
If there are dedicated hardware solutions that's great! It seemed from the article like they were requiring phones - which was the source of my concern.
This is Web Authentication/FIDO 2. We've had security keys like Yubikeys to do this for years.
This is about committing to have computing devices also have the functionality of these security keys built in, to synchronize those credentials within a platform ecosystem, and to support cross-platform usage such as an android phone letting you into a site on a windows desktop browser.
The hope is that much higher user availability will cause much higher site adoption.
> At its core, a model of identity would be to create a keypair for each account and require that key sign each login request.
That is exactly how it works. Web Authentication declares a javascript API for site access, and the request and signed authentication response formats/processing.
> That said, I agree with everyone's fears and frustrations with the actual real world circumstances around phones. I do not trust my phone and I don't really trust the most popular projects to make phones more secure.
There is about eight years of hardware in the market you can use rather than your phone. In addition to security-opinionated end-users, it is expected that some portion of enterprises and governments will require a separate hardware key for employee/contractor access - and may even require specifically the one that their IT hands to the person.