Re: Shopify WebAuthn UX from Christiaan Brand on 2020-05-18 (public-webauthn-adoption@w3.org from May 2020)

From: Christiaan Brand <cbrand@google.com>
Date: Mon, 18 May 2020 14:57:50 -0700
To: Shane B Weeden <sweeden@au1.ibm.com>
Cc: Bart de Water <bart.dewater@shopify.com>, public-webauthn-adoption@w3.org
Message-ID: <CAE1XR1=-GPPMPNEeADw47D3y40Tspo+QS3snA5-BdV2N6pz3dA@mail.gmail.com>

I agree, but I personally think it's better to not offer these users
*anything using WebAuthn* rather than giving them a confusing/flawed
experience. Users *should not *be using a platform/bound authenticator for
2-SV. It'll simply result in lockout when they inevitably change to another
machine. That's why, at Google, even while we haven't fully embraced UVPA's
yet, we *hard disallow *platform authenticators for 2-SV.

On Mon, May 18, 2020 at 2:19 PM Shane B Weeden <sweeden@au1.ibm.com> wrote:

> I think this scenario highlights one of the caveats of the How To FIDO
> pattern:
>
> "As a consumer, I have a platform authenticator, but do not own a roaming
> authenticator. Can I use it on your website?"
>
> There are many RPs that offer multi-modal 2FA (i.e. usually labelled
> Security Keys are amongst a range of choices). Those same RPs don't [yet]
> offer platform authenticators as an alternative to password login as a
> primary factor".
>
> This is the reality for a lot of RPs today, including those who were early
> adopters of U2F. If an RP adopts the How To FIDO pattern as documented, it
> currently excludes users who don't own or plan to acquire a roaming
> authenticator from the RP's FIDO-offered 2FA service. I understand in the
> long run the How To FIDO pattern promises a better and more consistent UX,
> but the adoption rate by consumers will be limited until RPs deploy the
> UVPA scenario.
>
> Regards,
> Shane.
>
>
> -----Christiaan Brand <cbrand@google.com> wrote: -----
> To: Bart de Water <bart.dewater@shopify.com>
> From: Christiaan Brand <cbrand@google.com>
> Date: 05/19/2020 01:59AM
> Cc: public-webauthn-adoption@w3.org
> Subject: [EXTERNAL] Re: Shopify WebAuthn UX
>
> Thanks for sending this along, Bart!
>
> I do see some conflation between physical security keys and
> platform authenticators that the "How to Fido" doc tries to address -- as
> you also stated :)
>
> On Mon, May 18, 2020 at 8:54 AM Bart de Water <bart.dewater@shopify.com>
> wrote:
>
>> Hi all,
>>
>> As discussed on the last call, here's screenshots of our current WebAuthn
>> UX:
>> https://docs.google.com/document/d/1x9mmSIvfjO2GOLNg7sd1zxD0j5-5FyeQGuZ3wO5sAaM/edit?usp=sharing
>> - I can imagine we'll incorporate some of Google's "How to FIDO" tips at
>> some point.
>>
>> Cheers,
>> Bart
>>
>
>

Received on Monday, 18 May 2020 21:58:15 UTC