[webauthn] authenticator taxonomy from =JeffH via GitHub on 2017-04-22 (public-webauthn@w3.org from April 2017)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Sat, 22 Apr 2017 01:34:38 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-223531685-1492824877-sysbot+gh@w3.org>

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== authenticator taxonomy ==
Given that the spec has explicit notions of platform and roaming authenticators, and we are now thinking about being able to denote other attributes of authenticators-cum-platform, such as whether they manage credential private keys, we may want to explicitly write down an authenticator taxonomy. 

Here's a swipe at it:

* first-factor Bound Authenticator
  * create(): credential private keys are stored client-side.
  * get(): When there is no user session (no cookies, a clear machine), the platform+UA+authenticator work together to display a pick list of any existing credentials registered with this RP.   During step-up authentication (when there is a user session) the server can supply credential IDs to the authnr.

* second-factor Bound Authenticator
  * create(): credential private keys are stored client-side.
  * get(): When there is no user session (no cookies, a clear machine), the RP needs to prompt the user for their account information, otherwise the user cannot use this authenticator at this time. During step-up authentication (when there is a user session) the server can supply credential IDs to the authnr.

* first-factor Roaming Authenticator
  * create(): credential private keys are stored on the discrete authenticator.
  * get(): When there is no user session (no cookies, a clear machine), the platform+UA+authenticator work together to display a pick list of any existing credentials registered with this RP. During step-up authentication (when there is a user session) the server can supply credential IDs to the authnr.

* second-factor Roaming Authenticator
  * create(): credential private keys are stored server-side (wrapped within credential IDs).
  * get(): When there is no user session (no cookies, a clear machine), the RP needs to prompt the user for their account information, otherwise the user cannot use this authenticator at this time. During step-up authentication (when there is a user session) the server can supply credential IDs to the authnr.











 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/422 using your GitHub account

Received on Saturday, 22 April 2017 01:34:45 UTC