- From: Myridium <notifications@github.com>
- Date: Sun, 21 Nov 2021 15:32:20 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/686/974919923@github.com>
Sorry to butt in, but I have been reading a bit about w3c's WebAuthn activities and the approach is puzzling me: > But it seems unlikely that broad numbers of people are going to purchase a pair of security keys to use WebAuthn, and manage double-registering on all their sites. First, whatever happened to the Asynchronous Remote Key Generation proposal by YubiCo which would allow users to keep a redundant security key backup in safe storage, consistently synced? The user has control over their own data and security this way; there is no need for online services to offer their own syncing mechanisms if the user has, say, 3 security keys to which they assign *memorable names*. It is easy to imagine this as part of a marketing campaign for a new passwordless experience-- naming your personal, private security keys that will never divulge their secrets to anyone. Call them "Bob, Roger and Frank" if you will. Physically label/engrave them too, if desired. Simple to understand, as well. As part of ARKG, the user's hardware tokens could be configured with the public keys of the other tokens, and easily enrol them as a matter of course in new services. Services can display a list of enrolled devices, and users know to check that "Bob, Roger and Frank" are all enrolled. Easy. Only issue/improvement would be synchronising credentials across services. For this it seems easiest to use the Hedera network, where there could be a maintained list of keys for the user. For more privacy, the user could maintain their own private list (e.g. Hedera File Service), and issue NFTs to services in order to grant them access. How? The security key would have permission to mint such NFTs. This may sound futuristic and far-fetched and impractical, but it is actually achievable and cost-effective today. We just need trusted hardware key manufacturers like YubiCo to support biometric--protected on-board transaction construction and signing, for a painless experience. Admittedly there is probably a lot of work to be done developing compatible hardware keys. But it can be done. Second, I think that the passwordless transformation will be more than sufficient to convince users to take that extra security step in managing a few hardware tokens. In fact I would go so far as to speculate that this relieves the user of a psychological burden, as a physical security key system is easy to understand and keep track of. If a private key is stored on my smartphone or PC, then I simply don't know how safe it is. Can it be hacked remotely? Does it expose the private key in RAM? (YES, therefore vulnerable to memory exploits, rootkits etc). If it's on dedicated hardware designed by a reputable brand, then I just needn't worry. Users may even think of this transformation as returning to simpler times-- a physical key that unlocks accounts. You don't have the key? Then you don't have access. You do have the key? Well, I better change the lock (invalidate the key) but I won't worry too much because I know it's protected by my fingerprint. I know I'm repeating myself, but I don't understand why it would be considered *hard* to onboard users to such a system. I am pretty sure my grandparents would have felt quite comfortable using biometric FIDO2 hardware keys. Usernames/passwords? Not so much. I would urge W3C to conduct real usability studies (with real test subjects) with biometric FIDO2 keys, and usernames/passwords, to determine whether users would autonomously make the switch. This is too important for idle speculation. If biometric-protected FIDO2 keys supporting ARKG are released, and ARKG is incorporated as a core of the WebAuthn standard, then users will have the ultimate usability experience; the cognitive burden of managing online identity will be eased; users will 'own their identity'; they'll retain privacy (assuming public keys are in some way 'salted' according to the online service; also consider Hedera), and the security of such a system will be quite substantial. I believe that users would understand this authentication system better than the current username/password based one. And I believe that users would autonomously switch due the great user experience. A bright future in security and usability awaits, and it's really achievable today I believe. Please don't shoot us in the foot by settling for second best. Incremental innovation stifles adoption. The passwordless revolution is a rare opportunity to **get things right**, to perform a quantum leap in security and usability, with a high degree of confidence that users will autonomously onboard themselves and mainstream adoption will be achieved. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/686#issuecomment-974919923
Received on Sunday, 21 November 2021 23:32:33 UTC