Re: [w3ctag/design-reviews] Early Design Review for Device Bound Session Credentials (Issue #1052)

arnar left a comment (w3ctag/design-reviews#1052)

Re reusing a WebAuthn key and any potential/future mediation=silent API:

WebAuthn's primary use case is interactive user sign in, with credentials that are expected to outlive individual sessions - and in particular interact with key storage that can move between devices (security keys, password managers). The "noisiness" in WebAuthn, i.e. requiring user interaction and clear signal of intent, is the very thing that allows keys out outlive e.g. browser cookie jars. For example, clearing site data is not generally expected to delete WebAuthn credentials, and that's ok because the user is always involved in using WebAuthn credentials.

So a silent mediation API in WebAuthn really would mean it only deals with some separate type of keys, which would have to follow the same rules in terms of site data lifetime as other silent data (cookies, local storage, etc.). That would definitely be possible, but wouldn't have any overlap with the primary use case of WebAuthn.

WIth that in mind, we think that a separate API is better on both sides: WebAuthn has a lot of complexity, both explicit and implicit, that only exists because of that primary user-interactive use case that would create sharp edges for session key management; and WebAuthn already needs to consider a lot of design requirements and adding more unrelated ones would probably not be helpful.

I'm happy to expand on details, e.g. which specific features I think are incompatible.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1052#issuecomment-2847593330
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1052/2847593330@github.com>