Re: [w3ctag/design-reviews] Broadening the user base of WebAuthn (Issue #686)

> what makes you think that most websites would [not] use this?

Most sites use a model based on username+password and let people reset passwords with an emailed link. For such sites the device-bound keys are complexity they don't need.

Sites that already have step-up challenges such as SMS OTP when signing in on a new device are those that I think would use the signals that device-bound keys provide.

> Also have you discussed the idea about ephemeral synced keys that are signed by a hardware based key as Peter described? Was that design considered?

I don't feel that I understand the proposal enough to comment. An important part of the device-bound keys is that they sign a nonce from the site, proving active possession. Having them sign a synced credential provides very different security properties. I'm also unsure how new devices work in such a scheme.

> We'd recommend that you include something in the spec, when you get to drafting it, to share some of this thinking with implementers (even something as simple as "users are trusting credential sync fabric providers to keep their keys secure. While the mechanisms of demonstrating that trust or keeping those credentials secure is out of scope for this spec, we are flagging to implementers that they may need to focus on this problem. Without it, the entire feature won't work.").

Understood. Thanks for the guidance. I can't speak for the whole working group, but I can write pull requests along those lines and hopefully that's enough!

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/686#issuecomment-1034371664
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/686/1034371664@github.com>

Received on Thursday, 10 February 2022 00:59:38 UTC