| ▲ | tux3 9 days ago |
| Microsoft Entra ID goes out of its way to enforce attestation for FIDO 2 keys. The protocol normally allows you to omit the attestation, but they worked around an extra call after a successful registration flow that sends you to an error page if your FIDO2 passkey isn't from one of these large approved vendors: https://learn.microsoft.com/en-us/entra/identity/authenticat... I found out by trying to prototype my own FIDO2 passkey, and losing my mind trying to understand why successful flow that worked fine on other websites failed with Microsoft. It turns out, you are not allowed to do that. |
|
| ▲ | frameset 9 days ago | parent | next [-] |
| To defend Redmond here, Entra is an enterprise system. If the company you work for or are interfacing with wants to enforce attestation, that's their business. B2C I would expect more latitude on requiring attestation. |
| |
| ▲ | Zak 9 days ago | parent | next [-] | | A problem is that once a thing like that exists, it ends up on security audit checklists and then people do it without knowing whether they have any reason to. | |
| ▲ | technion 9 days ago | parent | prev | next [-] | | I would counter argue being the person pushing passkeys in an enterprise: noone in the business knows what attestation is, but we're going to do it because the interface recommends it. | | |
| ▲ | jrockway 9 days ago | parent [-] | | I'm not sure it's the standards committee's fault that your employer hires people that don't know how to do their job. I think it's reasonable to have attestation for the corporate use case. If they're buying security devices from a certain vendor, it's reasonable for their server to check that the person pretending to be you at the other end is using one of those devices. It's an extra bit of confidence that you're actually you. | | |
| ▲ | ori_b 9 days ago | parent | next [-] | | It's the standards committees job to design standards that are difficult to misuse. | |
| ▲ | raxxorraxor 3 days ago | parent | prev [-] | | The most common fault of committees is that they overengineer processes and specs wander out of scope. The result is that users (dev & consumers) either neglect the bad parts or the spec doesn't get used at all. |
|
| |
| ▲ | clickety_clack 9 days ago | parent | prev | next [-] | | Exactly. For personal authentication, you are at least personally incentivized to do the right things. For corporate auth, people will do whatever it takes to skip any kind of login. I once knew a guy who refused to let his office computer go to sleep just to avoid having to enter his password to unlock his computer. He was a really senior guy too, so IT bent to allow him do this. What finally made him lock his computer was a colleague sending an email to all staff from his open outlook saying “Hi everyone, it’s my birthday today and I’m disappointed because hardly anyone has come by to wish me happy birthday”. The sheer mortification made him change his ways. | | |
| ▲ | projektfu 9 days ago | parent | next [-] | | A culture of harmlessly pranking computers left unlocked goes a long way. ThoughtWorks veterans know what I mean. | |
| ▲ | tonyhart7 9 days ago | parent | prev [-] | | lol this is funny, why he didn't want to sign in more often tho??? | | |
| ▲ | clickety_clack 9 days ago | parent | next [-] | | He was completely non technical and I guess he figured that IT should be able to work the security system around him. | |
| ▲ | adam_hn 9 days ago | parent | prev [-] | | The most common human trait ever.... laziness |
|
| |
| ▲ | eadmund 9 days ago | parent | prev [-] | | Don’t put in place systems which encourage lock-in, even at the B2B level. | | |
| ▲ | lmz 9 days ago | parent [-] | | Aren't those usually used inside an enterprise vs B2B between enterprises? |
|
|
|
| ▲ | rcxdude 9 days ago | parent | prev | next [-] |
| Ah, and even if you can turn it off as the administrator, you still need to include the attestation, it's just not checked. Gotta love Microsoft... |
| |
| ▲ | wkat4242 9 days ago | parent [-] | | Yeah Microsoft is so annoying. It's also kicking me out every day now (with this passive aggressive "hang on while we're signing you out" message). On M365 business with Firefox on Linux with adblocker. I hate using their stuff so much. | | |
| ▲ | gmokki 8 days ago | parent [-] | | Same has been happening for for a few months. I get thrown out of all o365 services multiple times each day. | | |
| ▲ | wkat4242 8 days ago | parent [-] | | Yes me too since a couple months :( So annoying. It doesn't of course happen on Windows. It started with OneNote web a couple years ago. Every day that gave a popup "Your session needs to be refreshed) and it would reload all over again. Microsoft don't bother to make a OneNote desktop app for my platform and the web version is really terrible anyway (you can only search in one tab, not a whole notebook). So I moved to self-hosted Obsidian which I'm really happy with. Now I can basically see myself typing in a note from another client. But replacing Microsoft for email is another topic. |
|
|
|
|
| ▲ | tialaramex 9 days ago | parent | prev [-] |
| I don't work in August, so I can't (well, won't) check, but my boss had the infrastructure team turn on FIDO2 for the mandatory 2FA on our administrative accounts and I do not remember having any problems with this. I do remember explicitly telling them (because of course having agreed to do this they have no idea how and need our instructions) not to enable attestation because it's a bad idea, but you seem to be saying that it'll somehow be demanded (and then ignored) anyway and that was not my experience. So, I guess what I'm saying here is: Are you really sure it's demanded and then ignored if you turn it off from the administrative controls? Because that was not my impression. |
| |
| ▲ | tux3 9 days ago | parent [-] | | It's been a little while, but I believe at the time you'd get a CTAP/CBOR MakeCredentialRequest, the browser would ask you to confirm that you allow MS to see the make and model of your security key, and it would send the response to a Microsoft VerifySecurityInfo API. If you refused to provide make and model, IIRC you would fail the check whether enforcement was enabled or not. Then if enforcement was enabled and your AAGUID didn't match the list, you would see a different error code. Either way, you're sending over an attestation. They understandably forbid attestation format "none" or self-signed attestations. It's possible that this has changed, but the doc page still seems to say they won't accept a device without a packed attestation, it's only that the AAGUID check can currently be skipped. |
|
