Re: [webauthn] Standardising support for software authenticators (#1175) from Nick Steele via GitHub on 2019-03-20 (public-webauthn@w3.org from March 2019)

From: Nick Steele via GitHub <sysbot+gh@w3.org>
Date: Wed, 20 Mar 2019 21:11:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-475030204-1553116318-sysbot+gh@w3.org>

Hi @filips123, I think standardization of support for soft authenticators within the WebAuthn specification falls a bit outside the scope of the specification, but perhaps specifying some best practices for handling soft authenticators would be a good addition. Also, assuming additions like [CaBLE support](https://github.com/fido-alliance/fido-2-specs/pull/529) are adopted, users could potentially use their phone to handle authentication in a way that would be "standardized", since it would be written into the spec as an extension, and I'll mention another non-standard example I know about below.  

The reason I think it is out of scope to standardize the API for soft authenticators is because we don't need to add anything to the credential creation/assertion options/responses that would need to be specific for software authenticators, and I, as a developer, wouldn't want the WebAuthn API to reach out to potential 3rd party authentication brokers/routers on my behalf. Take, for example, two different types of soft authenticators I know of that support WebAuthn and how they handle things: 

[SoftU2F](https://github.com/github/SoftU2F): This library emulates a hardware U2F HID device and performs cryptographic operations using the OS X Keychain. We don't need to add anything to the API for this soft authenticator to work and it would be the onus of the RP to handle allowing/disallowing this type of auth method.

[Krypton U2F Extension](https://github.com/kryptco/kr-u2f): This library defines an extension that can be used with Krypton's [iOS](https://github.com/kryptco/krypton-ios) or [Android](https://github.com/kryptco/krypton-android) libraries to override the WebAuthn API request and send the credential request to a mobile device for authentication.

Both methods are different, and I don't see how the WebAuthn API can be amended to better support these software-defined authentication methods. What I would say is that we could probably address in the spec are best practices and security guidelines for soft authenticators, but this could also be an addition for the CTAP spec rather than the WebAuthn one.

-- 
GitHub Notification of comment by nicksteele
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1175#issuecomment-475030204 using your GitHub account

Received on Wednesday, 20 March 2019 21:12:01 UTC