Re: FacetID equivalent for WebAuthn?

The iframe solution might be good enough, but that opens other issues I am
sure.

A CTAP2 only solution is also problematic, because of all the CTAP keys out
there.

Have fun next week at IETF and thanks for the details.


On Thu, Jul 18, 2019 at 6:42 PM John Bradley <jbradley@yubico.com> wrote:

> There was an effort to simplify the spec.   FacitID was a victim of that.
> Dirk can fill in the details.
>
> The payments people are wanting the iframe solution, for 3dsecure and open
> banking.
>
> I think we do need a way to delegate domain A to act as a proxy for domain
> B.
>
> I would prefer to do it in a more granular way than was done in FacitID.
>
> Some of us kicked some ideas around at the last Fido plenery.  I think it
> could be done in WebAuthn with existing CTAP2 authenticators.
>
> John B.
>
> On Thu, Jul 18, 2019, 7:50 PM Marius Scurtescu <
> marius.scurtescu@coinbase.com> wrote:
>
>> Thanks again Adam.
>>
>> Is this the iframe spec you are referring to:
>> https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance
>>
>> The situation looks pretty bleak from where I stand. I am surprised that
>> this is not coming up as an issue. Was there a concrete reason to stop
>> supporting FacetID? Lack of interest?
>>
>>
>> On Thu, Jul 18, 2019 at 3:59 PM Adam Langley <agl@google.com> wrote:
>>
>>> On Thu, Jul 18, 2019 at 3:08 PM Marius Scurtescu <
>>> marius.scurtescu@coinbase.com> wrote:
>>>
>>>> How is a multi-domain deployment supposed to work with WebAuthn? And by
>>>> multi-domain I mean domains that don't match: example1.com and
>>>> example2.com.
>>>>
>>>> One solution that was suggested is to always redirect to the IdP, so
>>>> there is not need for multiple domains. That might work for login, but when
>>>> WebAuthn is used as a re-authentication challenge then a full page redirect
>>>> becomes very difficult to implement, especially for an existing application.
>>>>
>>>
>>> WebAuthn credentials are tied to an RP ID, which is a domain name. There
>>> is not support for “groups” of domains being acceptable for a credential.
>>>
>>> Redirecting (with suitable care) is possible, somewhat similar to OAuth.
>>> There is also (currently) unimplemented spec for granting iframes WebAuthn
>>> abilities, in which case postMessage can be used. Implementation priorities
>>> are set by need and, currently, nobody is making a fuss about the lack of
>>> iframe support so it's not on the roadmap.
>>>
>>>
>>> Cheers
>>>
>>> AGL
>>>
>>

Received on Friday, 19 July 2019 17:45:30 UTC