While this idea may still be in the realm of innovation rather than standard practice, it introduces a pattern worth exploring for organizations looking to strengthen their account recovery processes.

Why Explore NFC Chips?

Modern passports and ID cards often include NFC chips containing cryptographically verifiable data. These chips offer significant security benefits, such as:

• Resistance to attacks: NFC chips in government-issued identity artifacts use cryptographic protections that are not vulnerable to phishing, deepfakes, or social engineering.
• Privacy-first design: Businesses can rely on secure data matching without needing to store sensitive personal information.
• Global availability: With billions of chipped IDs in circulation, the infrastructure for this approach already exists.

Using NFC-enabled phones, individuals can verify their identities securely, replacing traditional recovery methods like knowledge-based authentication or telephone-based verification, both of which have become increasingly vulnerable.

A Potential New Path for Account Recovery

For organizations grappling with the growing complexity of identity verification, this model introduces a forward-thinking possibility:

1. Improved Security Posture: By leveraging cryptographically verifiable identity documents, recovery processes can be made stronger than the authentication methods they support—a critical principle in identity management.
2. Cost Reduction: Eliminating labor-intensive telephone-based identity verification could yield significant savings, especially for larger organizations. 
3. Value Protection: Customer Lifetime Value is at risk if organizations lack account takeover prevention measures—would account takeover victims remain loyal? 
4. Enhanced User Experience: Self-service recovery options leveraging widely available technology could reduce frustration for legitimate users while thwarting fraud attempts.

Recognizing the Challenges

This is not a one-size-fits-all solution. Organizations must weigh several factors, such as:

• The availability of NFC-enabled identity documents among their user base.
• Educating users on how to utilize chipped IDs effectively.
• Addressing edge cases where users lack compatible IDs or devices.

Additionally, as the article acknowledges, this approach requires collaboration across industries and careful consideration of privacy and compliance requirements.

An Idea to Explore

As an IDPro member, I appreciate the value of discussing emerging ideas like this with the community—not as definitive solutions but as possibilities to explore as the identity landscape evolves. For some organizations, NFC-based account recovery may represent a promising opportunity to address vulnerabilities in their processes. For others, it may serve as inspiration for thinking creatively about strengthening identity recovery.

Learn More

To explore the technical and operational considerations of using NFC-enabled passport chips in account recovery, check out the full article on LinkedIn: Using a Passport Chip for Account Recovery.

Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.

Author Bio

Rob Brown has had chips with everything throughout his career:
From RFID tag start-ups to the NFC Forum, growing market demand for smart card processors, and Trusted Execution Environments for mobile payments and biometrics.
He consulted on IAM of Things, supply chain transparency, went through blockchain, and is now at @Inverid, where NFC chips, IDV, Mobiles, and biometrics converge in an app that scans your document chip to prove it is you.
As a mountain bike coach, he sees every crash teaches a lesson. A smashed phone and a world of digital pain in account recovery inspired him to look for something better for the next time.

The post Exploring New Frontiers in Account Recovery appeared first on IDPro.

Last month, the IDPro newsletter published an OpEd entitled I’ll pass (for now) on Passkeys. In it, the author discusses their caution in adopting passkeys at this time due to perceived interoperability and usability challenges. Out of concern that those perceptions might hinder the growth of passkeys, and thereby limit options for users and relying parties who need better credentials than passwords, I’d like to share my own perspective below.

First, let’s clarify some language around passkeys.  Passkeys are defined as FIDO discoverable credentials.  Discoverable credentials reside within the authenticator, whether it is a hardware device, TPM, or passkey provider. Passkeys are distinguished from non-discoverable FIDO credentials, which are embedded in the credentialID returned to the relying party (RP) at registration and thus stored by the RP. Yubico has a good writeup on the concepts.

Passkey Options

Within the realm of passkeys, there are two additional options: device-bound passkeys and synced (synchronized) passkeys. Device-bound passkeys are inherently bound to the device – a Trusted Platform Module (TPM), Trusted Execution Environment (TEE), or Secure Element (SE).  These passkeys cannot be exported or backed up, if the device is lost, reset, or broken, the credentials are lost and cannot be recovered. Synchronized passkeys (synced passkeys) are stored within a passkey provider synchronization (sync) fabric and may be moved between devices, shared, and (in some cases) exported.  The sync fabric ensures high availability and reduces the risk of loss of the credential.

Fundamentally, all FIDO credentials – passkeys and non-discoverable credentials – have the same security model. The credentials are cryptographic key pairs that are origin-bound, enabling strong phishing resistance. Due to the use of asymmetric cryptography, there is no secret that can be stolen from the RP, unlike passwords or OTPs.  

More on Synced Passkeys

The introduction of passkeys —what we now call synced passkeys— in 2022 changed our approach to phishing-resistant credentials. With synced passkeys, users can create credentials that automatically sync across the cloud within a single ecosystem (e.g., iCloud). This synchronization ensured the availability of synced passkeys even if a device was lost. However, these credentials were only available within that vendor’s ecosystem in the initial deployment. Cross-device authentication partially solved this problem by allowing devices to be used across ecosystems for authentication without sharing the passkey. Synced passkeys alleviate the concerns for consumer and enterprise markets where managing device-bound credentials creates unacceptable user friction.

In 2023, we saw the emergence of third-party passkey providers, including traditional “password managers,” enabled on multiple platforms. Passkey providers offer alternatives to a platform’s passkey implementation, allowing cross-ecosystem syncing within the provider’s ecosystem. Today, there are 25 different passkey providers listed in the Passkey Authenticator AAGUIDs list from various providers, including small companies, large companies, and open-source implementations.  Today, passkey providers are available for all major browsers and operating systems. 

Security Spectrum

All credentials reside somewhere along a security spectrum; this is no different with passkeys.  

In a 2023 study by Bitwarden, only 30% of respondents use password managers (credential managers), while 84% of users reuse passwords across sites! Any increase in the use of a credential manager raises the bar for end-user security, whether the user chooses a password or a passkey. If users choose passkeys, let’s celebrate! We just reduced authentication friction for the user with a higher-quality, phishing-resistant credential, reducing risk for both the user and the relying party.   

Synced passkeys introduce new risks compared to the traditional FIDO hardware key deployment model. Synced passkeys may be leaked through credential sharing, insecure credential export, attacks against the passkey provider, or attacks on the provider’s client application. All of these attacks are possible against credential managers today, yet we broadly agree that using a credential manager effectively reduces the risks associated with passwords. 

Passkeys Support

Recently, NIST published NIST Special Publication 800-63Bsup1, which outlines the properties of passkeys that reach Authenticator Assurance Level 2 (AAL2).  Passkeys with demonstrable properties that meet or exceed the requirements outlined in Section 4 may meet the high bar of AAL2 credentials. Since passkeys are commonly considered a “password replacement”, it is reasonable to consider that all passkeys are AAL1. Yet this classification isn’t fine-grained enough to distinguish that even within AAL1, some credentials are better than others. Passkeys are clearly superior to passwords, even though they are both AAL1 credentials. 

In practical terms, vendor lock-in for passkeys does not exist. Any service supporting passkeys should allow the registration of multiple passkeys per account. Users operating across platforms or ecosystems can register multiple passkeys in different providers or use a cross-platform passkey provider. The Cross Device Authentication flow can be used to authenticate on a client that doesn’t have a passkey using their phone or tablet (“authenticator”), which has a passkey.

Today, some passkey providers allow you to export your passkeys to disk for backup as you see fit: KeepassXC, ProtonPass, and BitWarden. While I don’t recommend this option, it exists. 

What’s Next

The FIDO Alliance is developing a new Universal Credential Exchange protocol to allow the secure transport of passkeys and other credentials between different credential managers. I hope we’ll see public implementations of Universal Credential Exchange soon.

Passkeys are not perfect, but they continue to evolve through the hard work of members in the FIDO Alliance and W3C. Don’t let perfect be the enemy of good and overlook passkeys.  Identify use cases for passkeys in your environment as a password replacement, second factor, or even as an AAL2 multi-factor credential. Together, we can reduce the use of knowledge factors, phishing, and related fraud while delivering a better user experience.

Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.

Author

Dean H. Saxe is a Principal Engineer in the Office of the CTO of Beyond Identity, founding member of IDPro, IDPro Body of Knowledge author and reviewer, the first person to obtain the CIDPRO certification, and co-chair of the FIDO Alliance Enterprise Deployment Working Group (EDWG). Beyond the realm of Identity, Dean is passionate about traveling, cycling, camping, board games, cooking, and spending time with his wife, two kids, and two dogs.

The post Don’t Pass on Passkeys appeared first on IDPro.

Well, it’s been another busy few months for the authorati (credits to Omri Gazitt of Aserto and Sebastian Rohr of Umbrella Associates for coining the term). The OpenID AuthZEN Working Group was busy putting the final touches on its first implementer’s draft all the while spreading the gospel at several events. Let’s rewind the tape and sum up the highlights.

May 2024 – Identiverse – AuthZEN Interop

We were fortunate enough that both Identiverse and OpenID lent us rooms during the event to finalize our initial interop: 12 different implementations took part and successfully tested their capabilities against a Rick & Morty-inspired demo app. So, what does the initial interop include? A fully spec’ed-out binary authorization API that allows clients to send an authorization request in the form of a yes/no question e.g. “Can Alice view document #123?” and get a decision back in the form of a boolean. For those familiar with XACML, this is a streamlined and simplified version. For developers and API lovers out there, you can check out the sample AuthZEN Postman library. Omri (Aserto) also maintains a website that walks readers through the interop.

In addition, there were several talks worth calling out:

• The Authorization Conversation panel led by Eve Maler – AI-generated summary
• Read Out from the AuthZEN Interop Event – slides

The latest version of the implementer’s draft can be accessed here. Readers interested in providing feedback should use the issues feature in the AuthZEN GitHub repository.

June 2024 – European Identity Conference – AuthZEN Interop (take 2)

Attendees and speakers of Identiverse had a mere 48 hours before heading out to Berlin for a second generous helping of IAM. EIC was also replete with authorization talks and AuthZEN presentations. My peer (and fellow editorial member) Alex Babeanu and I took part in a panel with fellow IAM expert Patrick Parker (EmpowerID): Unpacking Authorization Approaches: Policy as Code Versus Traditional Business Needs. You can watch the replay here.

On Thursday, Allan Foster, Adam Rusbridge, Alex Babeanu and I talked about the importance of standardization in authorization. All four of us are members of OpenID AuthZEN and both 3Edges and Axiomatics are part of the 12 conformant implementations.

On the last day of the conference, Gert Drapers led the second AuthZEN interop: the focus was on use cases brought by individuals from the manufacturing and banking sectors.

July 2024 – AuthZEN meets OAuth at IETF

OAuth focuses on “access delegation” and of course authentication. Authorization (ABAC/ReBAC or other models) focuses on access control. Can both models be used together? That’s what Eve Maler, Justin Richer, Allan Foster, and I attempted at IIW last October (notes). This led to a first attempt in the form of the AuthZEN Request/Response Profile for OAuth 2.0 Rich Authorization Requests which was proposed during IETF 120 in Vancouver. The profile suggests leveraging the AuthZEN request format to send a RAR request from a client to the authorization server. The hope is that this will increase interoperability and “integrability” between OAuth-based systems and “policy decision points”. For more information, check out the presentation slides or join OpenID’s Slack for a live discussion.

What’s next for AuthZEN?

The WG is already actively working on the next iteration of the standard. Members have reached consensus on a batch authorization request API (sometimes called boxcarred requests). We are planning an interop at AuthenticateCon in October and IIW a few weeks later. If you would like to join the WG, especially as a customer (non-authorization vendor) organization, we’d love to hear about your use cases. Join us on OpenID’s website

Disclaimer: The views expressed in the content are solely those of the author and do not necessarily reflect the views of the IDPro organization.

Author

In his role as CTO, David drives the technology vision and strategy for Axiomatics based on both identity and access management (IAM) market trends as well as customer feedback. He also leads the company’s strategy for standards and technology integrations in both the IAM and broader cybersecurity industries. David is a founding member of IDPro, a co-author of the OASIS XACML standard, and an expert on standards-based authorization as part of an overall IAM implementation. Most recently, David led the design and development of Salesforce’s identity offering, including customer identity and access management (CIAM) solutions.

The post Updates from AuthZEN appeared first on IDPro.