W3C home > Mailing lists > Public > public-credentials@w3.org > November 2021

Re: Password-less auth vs VC-auth

From: Kyle Den Hartog <kyle.denhartog@mattr.global>
Date: Mon, 8 Nov 2021 21:10:15 +0000
To: Alan Davies <alan@credentialmaster.com>
CC: sethi shivam <sethishivam27@gmail.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <MEYP282MB4057D33E485A60B8E84C2C96FC919@MEYP282MB4057.AUSP282.PROD.OUTLOOK.COM>
To what degree do I need to prove who I am? Do I need to perform a full KYC check every time I login or do I just need to prove that I'm the same entity that registered last time? A solution only needs to be as complicated as the requirements for the feature. For example, If I need a full KYC check then webauthn can't solve this alone. The implementer would need to add in an additional KYC check flow which is designed specifically for their needs. However, on the flip side if I just need to prove that I'm the same entity that registered last time why do I need to be bothered with going out and retrieving a verifiable credential of my driver's license from a trusted issuer to prove that? What happens when my DL has expired or been revoked - does the website that relies on this VC now suddenly not let me login? And this doesn't even address the question of why I even need a driver's license in the first place to login to a website which I'd argue is completely unnecessary for a majority of websites today. Point being that yes VCs are useful, but they can introduce a fair amount of complexity and edge cases that now must be handled as well and so it raises the question of what are the needs of the system.

Put more simply, how do you compare "better" if there's no clear metric of comparison?

-Kyle
________________________________
From: Alan Davies <alan@credentialmaster.com>
Sent: Monday, November 8, 2021 3:08 PM
To: Kyle Den Hartog <kyle.denhartog@mattr.global>
Cc: sethi shivam <sethishivam27@gmail.com>; W3C Credentials CG (Public List) <public-credentials@w3.org>
Subject: Re: Password-less auth vs VC-auth

EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.

Surely a simple “here’s a credential that proves who I am” must be considered “pretty good”. Let’s keep things simple. The older passwordless solutions are not that simple.

Alan Davies
+1 818 415 0211

On Nov 7, 2021, at 14:38, Kyle Den Hartog <kyle.denhartog@mattr.global> wrote:


It's hard to make an evaluation of what's better without having any sort of use case or requirements listed. If you're only trying to achieve authentication like just a basic login, then a VC is probably overkill in what you're trying to achieve. However, if you're trying to build a registration flow or architect the system so that the backend system operates completely stateless, I could see advantages to using a VC based system.

Also, when you say password-less auth there's a whole class of potential methods you could use to achieve this. For example, webauthn, HTTP Signatures, DIDComm based co-protocol, or many other variations exist to achieve a password-less based auth system. However, without more details it's hard to compare any of them.

-Kyle
________________________________
From: sethi shivam <sethishivam27@gmail.com>
Sent: Sunday, November 7, 2021 1:22 PM
To: W3C Credentials CG (Public List) <public-credentials@w3.org>
Subject: Password-less auth vs VC-auth

EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.

Hi team ,

I am looking for the reasons why vc-auth is better than password-less auth.

And if i lose my phone , which process  is less painful to get my credentials back ?

Best Regards
Sethi Shivam

Received on Monday, 8 November 2021 21:10:34 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:24 UTC