- From: Anthony Nadalin via GitHub <sysbot+gh@w3.org>
- Date: Wed, 19 Oct 2016 21:06:25 +0000
- To: public-webauthn@w3.org
**Developer running Test Suite** Developer is running a test suite on his PC that is making API calls to a cloud service. The Developer would like to enhance the security posture and use a second factor when making API calls to the cloud service. The Developer has previously enrolled his FIDO device with the cloud service, using standard enrolment, and has enabled MFA for API calls. MFA API calls require the standard cloud service authentication, and FIDO device The test suite runs the same code a number of times for code coverage, and each time, the code requires a 2F from a FIDO device to make the API call. The user does not want to touch the U2F device on each invocation of the code in the test suite. **Production Server** A PC is a production server that is making regular API calls to a cloud service. The admin enrolls the FIDO token with a set of credentials at the cloud service and enables MFA on API calls. The admin installs the standard credentials on the PC, and inserts the FIDO device into the PC. The admin launches the application that makes the API calls on the PC, and the application uses the standard credentials and the FIDO device to regularly authenticate with no user present. In both of these cases, an attacker needs to acquire both the standard cloud credentials and the physical FIDO device to make API calls from a separate machine. -- GitHub Notification of comment by nadalin Please view or discuss this issue at https://github.com/w3c/webauthn/issues/22#issuecomment-254940830 using your GitHub account
Received on Wednesday, 19 October 2016 21:06:32 UTC