[Dailydave] Some thoughts on...biometrics and FIDO

Dave Aitel dave at immunityinc.com
Tue Oct 29 14:09:16 EDT 2013 

So I got to watch a presentation on FIDO
<http://www.usatoday.com/story/cybertruth/2013/10/28/qa-implications-of-the-coming-of-biometric-wave/3286381/>yesterday.
They're an "industry group" (tm) which is pressing forward a standard
for doing authentication from mobile devices to websites. Their goal is
to define a protocol where you create a certificate (they refuse to call
it a cert, but it's an RSA key) which you secure locally on your device
via a thumbprint (or private-parts print, if you're Nick
<http://www.tomsguide.com/us/iphone-fingerprint-scanner-test,news-17587.html>).
Then you present a little XML file with "<I used a thumb print><here is
my cert>" to websites which ask for it. They go look for your cert in
their private DB of certs, and authenticate you. And your user
experience is simply opening up the website, and pressing your thumb to
something.

Here's some issues with it:

1. The name should really be "FIDONet", for the old timers, right? :>
2. They have PayPal and Google on board. Google already has
google-wallet, and PayPal has paypal and they're competitors and they're
missing the other big player in the mobile space....Apple. Without
Apple, I don't see this going anywhere, and I don't see Apple joining
them, so it's a bit of a dead end. Once they GET Apple they then have to
get both Microsoft and Apache.
3. The technology itself is too simple. There's really nothing to keep
someone from collecting the certs off a phone and re-using them.

And in summary, everyone wants remote attestation (aka,
PALLADIUM/NGTCB), but nobody appears to have read or understood the
NGTCB documents who is working in this space. (Or they've read 'em, and
they're ignoring them because of business reasons, which is more likely.)

-dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20131029/8b02b51b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20131029/8b02b51b/attachment.sig>

More information about the Dailydave mailing list