Lost Dog! User Centric ID Management (FIDO and Other Opts…

From IIW

Session Topic: Lost Dog! Usercentric ID Management

Wednesday 5H

Convener: Chris Edwards, Intercede

Notes-taker(s): Peter Cattaneo, Intercede

Tags for the session - technology discussed/ideas considered: User-Centric ID, FIDO, credential lifecycle management, lost/stolen devices, device migration, improved user experience

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps: Brief history of credential management. Smart Cards, HSPD-12: Enrollment, lifecycle management. Existing solutions based on centralized issuance and management model.

Support lifecycle events such as lost/stolen devices, credential updates, device migration, user termination.

Secure credentials migrating into mobile devices; multiple secure elements available. Works today with existing centralized ID systems.

User centric ID needs a different approach. Brief FIDO overview


What happens when you lose a device? How do you migrate to a new device after you’ve registered lots of sites? How can you provision multiple devices with authenticators for the same set of RPs.

FIDO does not specify these user management features. Risks:

  • 1) Bad user experience
  • 2) Recovery process is lower security than FIDO PK credentials creating at soft point of attack

Possible solutions:

  • 1) enhance the device to enable management on a mobile device;
  • 2) cloud service;

MePin.com has implemented a cloud service with similar functionality; does not yet support FIDO.

Follow up:

Need to make sure that FIDO specs do not contain anything that would preclude implementing this functionality.

Work to standardize functions to:

  • revoke existing authenticator;
  • add second authenticator; using the first authenticator for authentication.