FIDO

TL;DR We want to enforce FIDO-only to achieve phishing resistant authentication without the possibility of downgrade attacks. But many web-views in legacy applications do not support WebAuthn. Use case: How to enforce FIDO-only even if your users use mobile apps or desktop applications that contain legacy WebViews to render the authentication flow? We call it “Detached FIDO Authentication”: Provide the option to jump out of applications that use legacy WebViews (do not support WebAuthn) into the Operating System Standard Browser....

Conference Talk at Authenticate Conference 2022: Our journey to implement FIDO in a global science & technology company. You can see the recording here

Keynote at Authenticate Virtual Summit: Modernizing Healthcare with Strong Authentication: Moving Beyond Passwords. You can see the recording here