Re: webauthn post on NANOG from Jeff Hodges on 2019-03-26 (public-webauthn@w3.org from March 2019)

From: Jeff Hodges <jdhodges@google.com>
Date: Tue, 26 Mar 2019 06:46:23 -0700
To: W3C Web Authn WG <public-webauthn@w3.org>
Cc: Akshay Kumar <Akshay.Kumar@microsoft.com>, Nicholas Steele <nick@nicksteele.net>, Emil Lundberg <emil@yubico.com>, Anthony Nadalin <tonynad@microsoft.com>, Samuel Weiler <weiler@w3.org>, James Barclay <jbarclay@duosecurity.com>
Message-ID: <CAOt3QXt6ttRqCqRJiWcajKeAVstMKuM-11qpgwpPirfMmxawCQ@mail.gmail.com>

On Mon, Mar 25, 2019 at 9:01 AM James Barclay <jbarclay@duosecurity.com>
wrote:

> I think this question has less to do with standardizing software
> authenticators and more to do with a misunderstanding about how user
> verification works, whether local PINs/passphrases are supported in
> WebAuthn, and a fear that knowledge-based authentication will disappear
> "because FIDO/WebAuthn/whatever."


Agreed, that is how I also interpreted the NANOG post.


> I don't think anything needs to change in the spec, but maybe we can all
> be more clear when communicating with others about how users authenticate
> to the device, whether that's biometrics, a PIN/passphrase, or a test of
> user presence in non-user verifying workflows. We could also spend less
> time demonizing passwords without also explaining the differences between
> remote and local verification. I suspect that this misunderstanding has
> come about at least partly because using biometrics to authenticate is a
> much different user experience than password-based authentication, and
> therefore is what's written about on blogs/news sites.
>

agreed.


=JeffH

Received on Tuesday, 26 March 2019 13:47:11 UTC