FIDO Does Not Fit Into Web3.0
FIDO Has A Trust Problem
From the perspective of Web3.0, FIDO has a trust problem and does not really fit for Web3.0 internet. Let me explain how. Remember the second question? - "How does the verifier get the public key of prover to verify a digital signature?"
The problem with digital signature is, no matter how secure the algorithm you use, the whole system fails if keys are not managed properly.
The FIDO server holds the public keys of all the users and is likely to become a huge registry of trusted public keys over a period of time. Especially when it comes to 3rd party centralised Identity Provider setting - which most of the relying parties would like to use because it offloads complexities of authentication to the IDP.
The way FIDO servers are likely to become centralised data silo and we all know problems with centralised systems especially when it comes to identity management:
  1. 1.
    Becomes a honey pot for attackers - One place where all keys are stored!
  2. 2.
    Pron to trust problems - Issuance and verification by the same system!
  3. 3.
    Pron to scalability problems - Single point of failure!
  4. 4.
    Tracking and Traceability are also possible - the FIDO server can link users with the RP!
and so on.
Last modified 18d ago
Copy link
Edit on GitHub