1

The NIST AAL3 specification requires

In order to authenticate at AAL3, claimants SHALL prove possession and control of two distinct authentication factors through secure authentication protocol(s)

Consider a Windows 10 tablet device with a Hardware TPM (v2.0) and Windows Hello for Business. The private keys for the user can only be used in conjunction with either the PIN or the biometrics on the device. The device is AD domain enrolled and only used within the organisation. The specific use case is for FIDO2 (WebAuthn) authentication using WHfB as the authenticator

Would the audience consider that the user's identity (private key in TPM) on the device is sufficient for the possession and control element of something you have in the specification?

Or do people believe that the device must be single user to achieve this? (i.e. the physical possession precludes anyone else having access - cf. yubikey / token etc)

I have searched high and low for opinions on this on the web and the only reference to it I have found is from Microsoft themselves:

Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq#is-windows-hello-for-business-multifactor-authentication

It would seem to me that this would be a common use case, with the rise in the number of devices capable of securing keys through hardware security capabilities and the inherent cost savings of a shared device and fewer things to lose

MrMoosehead
  • 11
  • 2
  • Same as a password it's supposed to be used only by one person. – user Feb 18 '20 at 16:01
  • @user would you care to expand? The private key in a TPM can only be used by the user it was created for and can only be unlocked for use by either the WHfB PIN or biometrics. It is entirely different to a password. – MrMoosehead Feb 18 '20 at 16:08
  • I wouldn't consider it secure if someone else has access to a hardware token since there may be attacks that can be done against it with physical access. I remember one attack on a specific smart card involved using acid to remove the plastic to get access to the actual chip. TPM implementations will vary by vendor, so I'm sure there may be physical attacks on them too. – user Feb 18 '20 at 17:04
  • We are talking about users within the same organisation which goes some way to mitigating the problems you describe. All users will have been vetted to IAL3 plus organisational processes and as such will have been deemed trustworthy enough to use the device in their own right. – MrMoosehead Feb 19 '20 at 08:12
  • Typically you'll also want to protect against malicious actors that are within the organization, but if hardware tampering isn't being considered then it should be secure (as long as each user has a different PIN/password for the device). – user Feb 19 '20 at 13:20

0 Answers0