[chowell]

This line of reasoning doesn't hold up at all. The best practice advice 'avoid security through obscurity' has nothing to do with what you're talking about. Also, FIDO absolutely relies on secrets: that's what a security key stores.

I'd be interested to hear how you think law enforcement and intelligence could still work without confidentiality.

[tialaramex]

Although the typical design for a FIDO key uses what is technically a symmetric ("secret") key that's an implementation detail and the purpose of the FIDO device is to maintain asymmetric (private) keys.

If you've been under the impression that FIDO is just a shared secret system like TOTP then I've got great news, it's much cleverer than that. By not relying on secrets the system is robust against total incompetence by a relying party. If say Facebook paste all the U2F credentials they have for your account into a public Pastebin, not only can that not be used to attack your Login.gov account secured with the same FIDO key, it can't even be used to attack the Facebook account the credentials are for.

Military intelligence services actually rely heavily on analysis of public information. The value of the exciting and expensive Hollywood-style secret agent is mostly in their ability to do stuff, mostly illegal and immoral stuff, not a benefit to collecting intelligence.

[chowell]

You've totally lost me, and it's not because I misunderstand FIDO. The private key you refer to must be kept secret or the credential is compromised. Yes, this is undoubtedly better than passwords, because the system automatically prevents credential re-use across services and is more resilient than a password hash, but it still requires secrecy. You're not providing an example of a system that functions without the need for secrecy, you're providing an example of a system that uses a very tightly controlled secret, known only to the party that needs it i.e. the FIDO key. Sounds a bit like the principles of need-to-know and compartmentation used by intelligence services...

Open source is useful, to be sure, but so are informants / agents, and the safety of those sources and their continued usefulness is completely dependent upon secrecy. If that's too Hollywood then consider undercover law enforcement.

[tialaramex]

Something is a _secret_ only if at least two people know it. This makes a tremendous difference because now either of them might betray the confidence, a _private_ fact can't be given away by anybody else, it is yours to keep private or not.

Society blurs this line a lot by telling people things are "Private" when in fact they're only a secret, and then there is an opportunity to betray them. This happens for payment cards for example, bank representatives have been known to tell even a court of law that bank employees can't find out your PIN, so if a PIN was used it proves the customer was negligent or actively participated in the transaction. In fact, of course, the PIN is a secret, so the bank and thus its employees are aware of the customer's PIN and an insider could in fact perform transactions using PIN verification despite no negligence by the customer.