Can FIDO be implemented for a Use Case which Allows the Use of Shared Devices?

Question

I am a part of an organization that is developing a website that required user authentication, and we are strongly considering FIDO compliance.

However, our use case requires users to be able to log-in from shared computers (i.e. father and son may share the same computer). And we cannot expect our user to carry around a FIDO authentication token (U2F key) as well.

In such a scenario, is it safe to use on-device biometric sensors (i.e. cameras, fingerprint scanner) on a shared device to authenticate multiple users?

score 1 · Answer 1 · answered Aug 17 '20 at 06:27

I do not know of any build with FIDO compliance. Furthermore: you have no control over what webcam/fingerprint sensor/... the users are using.

So, FIDO aside, is it safe?

The answer is simple: you have no control whatsoever over the computer that is used to access your website (might be a Win10, might be a Kali). If you make devices that you cannot control part of your chain of assurance, it is not safe, unless you take additional measures.

Furthermore: you will require your users to give your website access to their webcam. That may be acceptable in your users community, but it certainly is not acceptable in ours. That is something you need to consider too.

Can FIDO be implemented for a Use Case which Allows the Use of Shared Devices?

1 Answers1