Sept 29, 2023

In the previous entry, I highlighted some of the key benefits I see with the adoption of FIDO Passkeys as a strong and convenient authentication that benefits both end user and online businesses. While these authenticators have the potential to overhaul the cybersecurity landscape in a beneficial way, they also introduce some intriguing challenges because of the way it changes how access can be transferred between individuals.

Business Advantage: Curtailing Account Sharing

For businesses, there's a unique advantage to such authentication mechanisms: they naturally deter account sharing. Traditional credentials can be easily shared, whether intentionally or unintentionally. Consider this relatable scenario: My daughter recently got a new phone, and I soon received a message asking for access to the shared account. It’s a simple request, but it illuminates the ease with which passwords can be shared. With non-transferrable authenticators, this common practice becomes notably more challenging, as account access is intimately tied to a physical device or unique user attribute. This is particularly advantageous for businesses that offer subscription-based services, ensuring that only the legitimate account owner can access the service.

Rethinking Authorization: Enter Groups and Households

The adoption of non-transferrable authenticators poses a compelling question: How do businesses cater to scenarios where shared access is legitimate and even necessary?

To address this, there's a need to rethink authorization schemes. Instead of the classic single-owner model, businesses might adopt an authorization group or household model. Under this framework, a primary account holder can invite members into their "group" or "household", granting them specific privileges or levels of access. It becomes analogous to how streaming services allow multiple profiles under one subscription.

There are companies doing this already, and I think they can provide a great examples of ways to manage the individual access, preferences and profile under a single subscription model. It is a cost-effective solution for families and adapts to the demands of balancing security and individual user experiences.

This shift brings a fresh set of advantages:

• Granular Control: Authorization groups can provide different access levels, ensuring that each member gets precisely the access they need, no more, no less.

• Audit Trail: With distinct profiles, businesses can monitor actions individually, enhancing accountability and facilitating troubleshooting.

• Enhanced Usability: A streamlined process for managing group members and permissions results in an improved user experience.

Navigating the Challenges

However, creating and incorporating new authorization approaches isn’t without its set of challenges:

• Complexity: Introducing a multi-user authorization model inherently adds complexity to systems, both in terms of development and user comprehension.

• Recovery Mechanisms: If a primary account holder loses their authenticator, recovery mechanisms must be robust and secure to prevent unauthorized access while allowing legitimate users to regain control, perhaps even assisted by the group/household.

A New Balancing Act

As cybersecurity threats continue to evolve, so too must our defense strategies. Non-transferrable authenticators like FIDO passkeys represent a promising step forward, offering heightened security and an enhanced user experience. But as businesses transition to these advanced methods, they'll need to be mindful of the nuanced challenges they introduce, adapting their models to accommodate shared access while retaining the core promise of security. As with most advancements, the key lies in balancing innovation with practical implementation.