@boblord often, customer support staff also have access to customer data as it is fundamental to their daily work. There are significant barriers to FIDO authentication for those populations - a few big ones are:

-many organizations contract out support. If you aren’t a giant corporation, you may have limited ability to influence very specific security controls that aren’t already pervasive in the industry. Most contract call centers are providing service for multiple brands simultaneously. They’re often not inclined to change their procedures for the demands of one client unless that client is *the* big client. Even then, the process is very slow.

-their customer relationship management tooling may not support FIDO, or may not allow them to connect external hardware, etc.

-many contract call centers are overseas. Importing security tokens of any kind, but especially security keys, can be challenging. This creates continuous supply chain problems to manage.

-cost. Security keys are still very expensive. Call center turnover is fairly high, adding to operational overhead to manage and replenish keys. (And if these employees are international, point above compounds this)

On top of this, you have all the familiar concerns about ease of use, account recovery, etc. built-in FIDO authenticators leveraging device TPM are useful, but these employees may not have 1:1 workstation assignments, meaning you’d need to provision a key for every one of hundreds of workstations they may use. Now consider again the high turnover. Operational IT nightmare ensues :( and call centers can’t afford downtime.

Passkeys from built-in devices can help change this, but I’m not convinced they’re a full fix at this point. The key to device provisioning remains a challenge, because cell phones and other personal devices that could be used to narrow the number of keys for employees are often banned from the call floor for other security reasons. And the actual computers these employees are using may be cheaper, older devices that may or may not support biometrics, etc.

This is just one population. I don’t think that non-operations groups have much of an excuse, but ops is also one of the biggest groups with access to clear customer data. :)

@boblord Do you have any favorite examples?

My degrees were in political science. I feel like I still draw a lot of comparisons I learned from social science studies into my work, although it gets harder as the years I’ve spent in tech slowly eclipse the years I spent studying poli sci.

@boblord I can’t help you with a link, and in fact when I tried to find such a video I mostly hit results talking about the controversy of some fire response teams going *back* to private. :)

But I think about this type of move in the context of security frequently. There’s a relative advantage for some services to be managed by governments vs. delegated to private industry. Cybersecurity feels like a clear public interest but the shift of much critical infrastructure to privately held digital enclaves would make that model slow & impossible to scale with public management alone.

Curious what you do with it once you find that video!