Re: Password-less auth vs VC-auth from Adrian Gropper on 2021-11-08 (public-credentials@w3.org from November 2021)

From: Adrian Gropper <agropper@healthurl.com>
Date: Mon, 8 Nov 2021 16:34:02 -0500
To: Kyle Den Hartog <kyle.denhartog@mattr.global>
Cc: Alan Davies <alan@credentialmaster.com>, sethi shivam <sethishivam27@gmail.com>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <CANYRo8gTNdm+6HQg6cVYkgmUcJYkcoa-gW7sXSCx0xAG8stwkg@mail.gmail.com>

We try to avoid passwords at all costs. Our example implementation model is
to let the Resource Owner decide...:

When an end-user client presents one or another of these is triggered:

   1. *Credentialed*: Accept a VC if the issuer is allow-listed as trusted
   1. *Optionally,* require a signed challenge by the VC subject
   2. *Invited*: Accept an identifier (email) if:
      1. The OpenID Connect OP is allow-listed as trusted AND
      2. The identifier (email) is pre-registered as trusted
   3. *Trust on First Use:* Register the identifier (email) as the Resource
   Owner
      1. A registered identifier is sent a magic link for authentication

These seem to be the only three categories. Am I missing something?

- Adrian

On Mon, Nov 8, 2021 at 4:12 PM Kyle Den Hartog <kyle.denhartog@mattr.global>
wrote:

> To what degree do I need to prove who I am? Do I need to perform a full
> KYC check every time I login or do I just need to prove that I'm the same
> entity that registered last time? A solution only needs to be as
> complicated as the requirements for the feature. For example, If I need a
> full KYC check then webauthn can't solve this alone. The implementer would
> need to add in an additional KYC check flow which is designed specifically
> for their needs. However, on the flip side if I just need to prove that I'm
> the same entity that registered last time why do I need to be bothered with
> going out and retrieving a verifiable credential of my driver's license
> from a trusted issuer to prove that? What happens when my DL has expired or
> been revoked - does the website that relies on this VC now suddenly not let
> me login? And this doesn't even address the question of why I even need a
> driver's license in the first place to login to a website which I'd argue
> is completely unnecessary for a majority of websites today. Point being
> that yes VCs are useful, but they can introduce a fair amount of complexity
> and edge cases that now must be handled as well and so it raises the
> question of what are the needs of the system.
>
> Put more simply, how do you compare "better" if there's no clear metric of
> comparison?
>
> -Kyle
> ------------------------------
> *From:* Alan Davies <alan@credentialmaster.com>
> *Sent:* Monday, November 8, 2021 3:08 PM
> *To:* Kyle Den Hartog <kyle.denhartog@mattr.global>
> *Cc:* sethi shivam <sethishivam27@gmail.com>; W3C Credentials CG (Public
> List) <public-credentials@w3.org>
> *Subject:* Re: Password-less auth vs VC-auth
>
> EXTERNAL EMAIL: This email originated outside of our organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe.
>
> Surely a simple “here’s a credential that proves who I am” must be
> considered “pretty good”. Let’s keep things simple. The older passwordless
> solutions are not that simple.
>
> Alan Davies
> +1 818 415 0211
>
> On Nov 7, 2021, at 14:38, Kyle Den Hartog <kyle.denhartog@mattr.global>
> wrote:
>
> 
> It's hard to make an evaluation of what's better without having any sort
> of use case or requirements listed. If you're only trying to achieve
> authentication like just a basic login, then a VC is probably overkill in
> what you're trying to achieve. However, if you're trying to build a
> registration flow or architect the system so that the backend system
> operates completely stateless, I could see advantages to using a VC based
> system.
>
> Also, when you say password-less auth there's a whole class of potential
> methods you could use to achieve this. For example, webauthn, HTTP
> Signatures, DIDComm based co-protocol, or many other variations exist to
> achieve a password-less based auth system. However, without more details
> it's hard to compare any of them.
>
> -Kyle
> ------------------------------
> *From:* sethi shivam <sethishivam27@gmail.com>
> *Sent:* Sunday, November 7, 2021 1:22 PM
> *To:* W3C Credentials CG (Public List) <public-credentials@w3.org>
> *Subject:* Password-less auth vs VC-auth
>
> EXTERNAL EMAIL: This email originated outside of our organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe.
>
> Hi team ,
>
> I am looking for the reasons why vc-auth is better than password-less auth.
>
> And if i lose my phone , which process  is less painful to get my
> credentials back ?
>
> Best Regards
> Sethi Shivam
>
>

Received on Monday, 8 November 2021 21:34:26 UTC