To maximize FIDO benefits, one must consider implementation/operational details not apparent in the protocol.
* To SSO or not to SSO? Single Sign-On (SSO) was born in a different era. While digital certificates were intended to eliminate passwords and SSO, PKI did not deliver the ROI. FIDO delivers “”simpler, stronger authentication””; but, do legacy SSO protocols complement or diminish the security benefits FIDO brings to the table? This section covers SSO nuances to ensure SSO protocol weaknesses do not diminish FIDO strengths;
* FIDO was designed as a privacy protecting protocol. Consequently, it does not carry user identification during registration or authentication. However, depending on how FIDO is implemented, relying parties (RP) might leak personally identifiable information (PII) to third parties without realizing legal implications. This section covers privacy implications of FIDO implementations and what RPs must do to mitigate regulatory compliance risks;
* FIDO offers many features to support different use-cases. How should RPs manage these features without customizing options into every application? This section covers how RPs should define policies for simplifying FIDO implementation and operations;
* Integrating PKI + FIDO. This section highlights solutions for enabling users with FIDO and digital certificates within enterprises and government agencies, and shows how layering TLS ClientAuth + FIDO can exceed even NIST AAL-3 compliance;
While the FIDO protocol is 8+ years old, passwordless authentication has been around for over 3 decades. The speaker has spent 24+ years in building large-scale passwordless authentication infrastructures, and brings lessons that can help the FIDO community.