Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow passkeys #45

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow passkeys #45

wants to merge 1 commit into from

Conversation

david-a-wheeler
Copy link
Contributor

Passkey portability is being developed, and once developed, passkeys may become widespread.

Strictly speaking they may not meet the definition of MFA, but I think they should be permitted. They're way better than passwords. Let's make that clear.

@david-a-wheeler
Allow passkeys
f27548e 
Passkey portability is being developed, and once developed,
passkeys may become widespread.

Strictly speaking they may not meet the definition of MFA, but
I think they should be permitted. They're way better than
passwords. Let's make that clear.

Signed-off-by: David A. Wheeler <[email protected]>
@eddie-knight
Copy link
Contributor

Need input from others on whether passkey is an acceptable alternative to MFA.

@david-a-wheeler
Copy link
Contributor Author

I can see arguments either way. However, I think there's a very good chance that passkeys will become more common, so it needs to be clear.

It is possible to implement passkeys in a way that also meets MFA. However, the most likely approaches are client-side use of a password or biometric check to unlock use of the passkey private key. An organization could have a policy requiring this, but it's impractical to have any kind of automated check for that, and it's the sort of policy that would be trivially ignored.

funnelfiasco
funnelfiasco approved these changes Nov 18, 2024
View reviewed changes
Copy link
Contributor

@funnelfiasco funnelfiasco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with a minor non-blocking suggestion.

If you end up making additional changes to this before it's merged, I'd suggest splitting the spelling corrections on lines 10 and 13 a separate commit.

baseline.yaml
project's version control system, requiring
collaborators to provide a second form of
authentication when accessing sensitive data
or modifying repository settings.
For purposes of this criterion passkeys are considered
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor reworking suggestion:

For this criterion, passkeys are considered an

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SecurityCRob SecurityCRob SecurityCRob approved these changes

@funnelfiasco funnelfiasco funnelfiasco approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@david-a-wheeler @eddie-knight @funnelfiasco @SecurityCRob