Present:
Zacharias Törnblom (SUNET), Marlies Rikken (SURF), Ines Duits (SURF), Jürgen Brauckmann (DFN), Wolfgang Pempe (DNF), João Guerreiro (FCCN), Esmeralsa Pires (FCCN), Alessandro Distaso (SUNET), Mario Di Lorenzo (GARR), Ester Ruiz-Ben (DNF), Peter Clijsters (SURF)
Agenda:
Security deepdive
- Multi factor authentication good practices - such as security keys
- Passwordless authentication eg with Passkeys
- Security awareness → how do we teach our users??
- Passwords must die
Discussion notes:
Ranking the different access methods (token, password, phone verif, passkey, OTP, passkeys) - In the case of second factor on login
Multiple types of hardware keys possible (seperate and non-seperate from the device(like laptop)
Cellphone relies on parties we don't really control.
Passwords is agreed lowest.
eduID.se does not use OTP for login - because it is vulnerable to phishing.
OTP does get used in the sign up flow (email verification).
Preference for SUNET = hardware token - passkey then password
SWAMID
DIGG sets trust profile for electronic IDs - sets different standards. Their medium assurance level is similar to REFEDS high.
Digital exam case:
- teachers need to log in securely to start the tests.
- Need to use the same security key every time. Teacher do not have a yubikey
- SUNET Needed to push DIGG to allow for passkeys, otherwise it was not possible to do the tests.
Reality is the cost for hardware tokens like Yubikeys for all teachers is too high
Teachers could still use hardware token if they would like to.
Recovery methods
Asks for adding a passkey or hardware token. The recovery of a passkey would rely on (for example) the process at Apple. You can also use passport or eIDAS verification to reclaim your account. In case you lose the hardware token.
If the account only has a password protection after you have done ID vetting, and password is lost. Then the ID vetting also gets reset and you need to verify your identity again.
If the second factor is lost, but you do have ID vetting, then you can also recover the account with ID vetting.
User feedback on the passkeys has been very positive so far. Less hassle compared to hardware tokens.
What about transfer ability between different devices? Is not really possible. Adding different passkeys per ecosystem can be added for now.
Either you trust the passkey ecosystem or not.
eduID.se - We don't trust all hardware tokens equally
Specific requirements on the trusted hardware tokens. Don't allow for remote activated - user needs to be present. Trusted list, can help user determine what is trusted. (see https://eduid.se/faq)
Mario:
For now using just passwords and OTP - afraid of how the users will interact with passkeys, many people that have alot of different devices in Italy. Difficult to convince people to buy hardware (such as hardware token).
Where are the most user questions?
se: Most questions on people that no longer have a hardware token. Usually lost hardware token.
it: questions mostly about lost cell phone etc. what to do if I forget my cellphone.
Password managers have started to be able to create passkeys. eduID.se not yet able to use all of them so far. Want to try to ensure compatibility, trying to put in requests.
What is the effort on continuous support of passkeys?
List from FIDO is what FIDO calls hardware token.
Don't have to do a lot - need to keep metadata file updated.
To get started it is a bit of work - but there are plenty open libraries to use.
SWITCH (eduID.ch) also implementing
FCCN - do not have eduID yet, beginning to think on MFA for institution. SecureID is a bit too big to add. Looking at privacy - considering if it could be smart to go to passkeys right away. Perhaps it is possible to do a pilot. Thinking whether to rebrand science
SURF - email links, passwords, passkeys, passwordless: eduID app verification (push message to app). Thinking to promote the push message to MFA method.
SMS and one time security code as backups.
Could it be possible to enforce app or hardware token. Hardware token.
Roaming profiles exist
For next session: Marlies & Esther will coordinate to set up a user experience session with results for both studies.
Resources:
passkeys.io
https://eduid.se/faq (security keys subsection)