FIDO has its shortcomings, too, and its users can be victims of phishing just as much as anyone else. All you need is the right inducement. For example... Passwords: Enter your password now or your account will be frozen. Tokens: Enter the token code now or your account will be frozen. FIDO: Swipe your finger on your FIDO device now or your account will be frozen. But back to your original query, Gerv, I would just add the following to all the other good points people have made: From the perspective of HSBC, devices get infected with malware all the time, and sometimes people will want to use that device for their banking. This means that anything associated with a compromised device--passwords, certificates, and even USB security devices--has the potential to be compromised which ultimately can lead to fraud. The way to mitigate some of that risk, then, is to have a completely separate device like Secure Key that you don't plug in to anything. My guess is that that's where they are coming from--the effectiveness of reducing risk weighed against the cost of bank fraud. Relying on client certs wouldn't sufficiently reduce that risk. Still, it's possible that certs could be a better way to go in a different context, and some interesting cases have come up here. It's just a question of picking the right tool for the job. Good discussion!
... However, what I'm surprised to see no one having pointed out is that all of these 2FA systems - including the one you mentioned - is phishing. This is where 2FA systems like FIDO come in to play, because the cryptographic assertion is bound to the channel (like TLS client certificates), and thus cannot be phished (as the assertion is no longer a bearer token, as it is with those PIN systems). You can see more at https://fidoalliance.org/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy | ||
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
