Mike Jones: self-issued

Musings on Digital Identity

Month: December 2025

COSE HPKE Spec Aligned with JOSE HPKE Spec

By

On December 15, 2025

In CBOR, Cryptography, IETF, JSON, Specifications

IETF logoThe “Use of Hybrid Public-Key Encryption (HPKE) with CBOR Object Signing and Encryption (COSE)” specification has been updated to align with pertinent changes recently applied to the JOSE HPKE specification. Changes in draft 19 are:

  • Utilize distinct algorithm identifiers for the use of HPKE for Integrated Encryption and HPKE for Key Encryption.
  • Adds HPKE-7 algorithms.
  • Defines use of the RFC 9052 Enc_structure for COSE HPKE.

The next draft of COSE HPKE should update the examples to correspond to these changes. After that, I believe the next step is to hold another set of concurrent working group last calls (WGLCs) for both specifications.

OpenID Federation Discussion at 2025 TechEx

By

On December 12, 2025

In Events, Federation, OpenID, Specifications

OpenID logoI was encouraged by Pål Axelsson to hold an unconference discussion giving an overview of OpenID Federation during the 2025 Internet2 Technology Exchange conference in Denver. So I did so with a receptive and engaged group of participants yesterday, Thursday, December 11, 2025. See the notes from the Thursday session by Phil Smart, which include links to multiple Federation pilots.

Afterwards, several people told me that they were sorry to have missed it. So I reprised the discussion today, Friday, December 12, 2025, with a second equally engaged and mostly non-overlapping set of participants. See the notes from the Friday session by James Cramton, which captures both the breadth of participation and some of the key points made. Mihály Héder from Hungary is prototyping and was particularly engaged.

See the deck I used to queue up discussion points titled “OpenID Federation Overview” (pptx) (pdf).

The participants were some of the world’s experts in multi-lateral federation. It was great spending time with them and learning from them!

My Unplanned Multi-Platform Passkey Adventure

By

On December 4, 2025

In FIDO, People

FIDO logoI am my wife Becky’s password manager. I keep all of her passwords (and mine) in an encrypted Excel spreadsheet – something I’ve done since before password manager applications existed.

Yesterday I had reason to log into her Amazon account to help her place an order for puppy food and encountered a surprise. The password I’d diligently saved in my spreadsheet (and which Firefox had also helpfully saved for me) didn’t work. Instead, Amazon told me the password was invalid and suggested that I log in with a passkey.

So I asked Becky if she’d created a passkey for Amazon. She didn’t know. She looked in the passwords application on her iPhone, and sure enough, she had a passkey saved for amazon.com.

I knew it should be possible to use the passkey on her iPhone from Firefox on Windows 11 to sign into amazon.com, but I’d never actually tried it myself. I work on this stuff after all, so I thought I’d give it a go. Here was my experience, to the best of my recollection…

  1. When trying to sign into Becky’s Amazon account in Firefox on Windows 11 – something I’d done many times before, amazon.com told me that the password for Becky’s account was invalid. (It was the same password she’d always had and she hadn’t changed it.) It then asked if I wanted to sign in with a passkey.
  2. Having confirmed with Becky that she had a passkey for amazon.com on her iPhone, I clicked the “Sign in with a passkey” button.
  3. I was asked whether my passkey was in Windows Hello or on an iPhone or iPad or Android device. I clicked the “iPhone or iPad or Android device” button.
  4. I was told to scan a QR code that Windows presented. We scanned it with Becky’s iPhone. The iPhone asked a confirmation question about whether we wanted to release the passkey to another device (the details of which I can’t recall). I said “Yes”.
  5. Apple (or maybe Amazon?) sent her iPhone a text message with a 6-digit code that we had to enter to confirm that we wanted to release the passkey. We did that.
  6. Sometime during this process, Windows brought up dialog box that told me my Bluetooth was off and asked me if I wanted to turn it on. I said “Yes” and it helpfully took me to another dialog that let me turn it on. I’ll note that it didn’t explain why I would want to turn Bluetooth on. (I knew, because I worked on the FIDO Hybrid flow, but that makes me highly unusual.) I suspect that to most people, that would be a mystery and probably a non sequitur. Many might have said “No”.
  7. Soon after that, Windows (or maybe Amazon?) asked me if wanted to duplicate the passkey to this device. I said “Yes”.
  8. And voila, I was logged into Becky’s Amazon account in Firefox on Widows 11!
  9. At this point I decided to go for broke. I logged out of Amazon. And tried to log back in.
  10. After entering her e-mail address as the username, Amazon prompted me to log in with a passkey. I did that, only this time no QR code was presented, we didn’t use her phone at all, and I was apparently logged in using a passkey saved in Windows Hello.
  11. So I was once again back to a state where I could log into Amazon as Becky on my Windows machine in Firefox, just like I previously could with a password.
  12. This user experience left me with a question: Was the passkey on her iPhone truly duplicated to Windows or did Amazon create a different passkey? (I suspected the latter.) Visiting the Your Account / Login & Security / Passkey page at Amazon (which required entering another 6-digit code) gave me the answer:

Amazon Passkeys

Observations and Conclusions

  • It all worked. I didn’t know that it would – especially since it involved four vendors: Amazon, Microsoft, Mozilla, and Apple. That, in and of itself, was impressive.
  • There were a lot of steps to navigate, some of them unexplained. I knew the right answers to make it work. I wasn’t deterred when I was told the password was wrong. I turned Bluetooth on when prompted. I scanned the QR code. I agreed to release the passkey to another device. I agreed to duplicate the passkey to this device. Others might not have achieved the same outcomes. (I’d love to see the results of a user study among a representative population trying to do the same thing. Can anyone point me to something like that?)
  • Congratulations to all the engineers at all these platforms who have put in the significant effort to make this all work together! It’s a testament both to the interoperability made possible by the standards and to your implementations of them.

I’d be interested in hearing about others’ passkey adventures.

Finishing the OpenID Federation 1.0 Specification

By

On December 4, 2025

In Federation, OpenID, Specifications

OpenID logoThe OpenID Federation 1.0 specification has started its 60-day review to become an OpenID Final Specification. Draft 46 of the specification, which was published today, is the target of the 60-day review.

Thanks to all who participated in the Working Group Last Call (WGLC) review, which was based on Draft 45. Your feedback resulted in a number of clarifications and editorial improvements. The changes made in -46 are detailed in the Document History section.

Almost there!

Powered by WordPress & Theme by Anders Norén