Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not-user-verifying Platform Authenticator #20

Open
keikoit opened this issue Oct 18, 2020 · 2 comments
Open

Not-user-verifying Platform Authenticator #20

keikoit opened this issue Oct 18, 2020 · 2 comments

Comments

@keikoit
Copy link

keikoit commented Oct 18, 2020

In the table "Physical manifestation of the authenticator" on "1. Overview", there is a mention about Not-user-verifying Platform Authenticator as defense-in-depth against malware. In the note, there is a following explanation "This combination is mostly applicable in enterprises that require frequent malware-resistant credential refreshes, but is not covered in this guide."

What is a Platform Authenticator without User Verlification, for example?
Also, what specific use cases and assumptions do companies that need to refresh their malware-resistant credentials frequently?
It would be greatly appreciated if you could give us a supplementary explanation.

@Kieun
Copy link
Member

Kieun commented Nov 10, 2020

You can imagine that you just click some hardware buttons (to get consent securely from the user or prove user presence rather than verifying user) to generate fresh signature for authentication, authorization or others. E.g., Android platform has a feature called Android Protected Confirmation.

@maxhata
Copy link

maxhata commented Nov 13, 2020

You mean this?

https://android-developers.googleblog.com/2018/10/building-titan-better-security-through.html

Providing backing for the Android Strongbox Keymaster module, including Trusted User Presence and Protected Confirmation. Titan M has direct electrical connections to the Pixel's side buttons, so a remote attacker can't fake button presses. These features are available to third-party apps, such as FIDO U2F Authentication.

I wonder if there is any public document describing the same for iPhone.

Since not many readers know about this feature, I think we need to add a foot note to briefly describe what the description in the table means.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants