Minutes 2021-06-14

Hi,

Here are the notes I took during our meeting today.

Present: Dom, Andrew, DavidT, Nick, Amy Ulrich, Felix Magedanz, Jarrette
Helton, Matthew Miller, Anthony Nadalin, Tim Cappalli, Travis Anderson

FIDO Developer challenge
Andrew: we have announced a developer channel, Joon Lee is leading that
effort
... had experience leading 2 hackathons in Korea last year
... this challenge includes using public WebAuthn APIs
... cfp announced last week, teams to form by July 2nd
... hope to get ~20-25 teams
... applications will be evaluated by judges that select teams to go
forward to implementation
... leading to a selection of 3 teams
... with an award to the top team at Authenticate in October
... landing page at fidoalliance.org/fido-developer-challenge/
... public registration open, rules & guidelines published
... next step includes promoting the event, seeking support from the CG
... want to bring awareness to the Web developer community
... FIDO will be promoting, would be great to get support from the CG
... the event has sponsors, incl 8 judging sponsors
Matthew: sounds awesome to encourage adoption
... what does the desired solution intends to solve?
... is this about alternative usage of WebAuthn?
... is there a prompt? a theme?
Andrew: it's about building on the public APIs and SDKs
Matthew: will it accept non authnetication-related ideas?
Joon: if you read the guidelines & rules
... we want applicants to use WebAuthn to help make applications easier
to use and more secure
... this could be in the area of IoT, education, anything
... as long as it makes is stronger and easier to use
Matthew: has it been announced publicly?
Andrew: last Thu or Fri
Nick: will there be time at Authenticate to show the results?
Andrew: we're hoping so, as part of a developer engagement block of the
conference
Dom: would be good to highlight the webauthn tag on StackOverflow as a
way to get support
... is there a way to channel feedback from participants to this group,
in terms of obstacles they can face
... will there be some sort of support provided to participants?
Felix: we're thinking of setting up a dev community for support
Matthew: do it on Discord?
Felix: we've been looking at Slack and a forem instance
Tim: would love us to take over the webauthn subreddit and their chat
channel
... have an organizationally-untied discourse
Nick: discord's audio/video integration makes it nice
Tim: I could look into the subreddit
Nick: happy to help
... Felix, what do you think about using a Discord
Felix: +1
Matthew: I'm heavily involved with Discord, happy to help wrt any admin
question

Intros:
Amy: DavidT told us about this group - thanks for welcoming us
DavidT: the discoverable platform authenticators issue has been high on
their list


Apple Passkeys
Nick: Apple's announcements last week introduced the idea of passkeys,
cloud-based WebAuthn credentials
... it complicates the UX around key hosting
... it brings also a lot of benefits, but it makes it harder to
understand what devices gives the key, or undermine the guarantees from
attestation
... this clearly means the notion of the name of source device becomes
muddier
Tim: this is a significant change which won't be coming in the fall - it
will be gated behind a developer option; probably not available to
consumers before a while
... there is a hot topic about discovering new devices
Matthew: this new approach breaks the assumption that private keys
reside on devices from which they can't be duplicated
... it changes the underpinnings of trust of FIDO2 (or Webauthn only?)
... Does this mean that Apple becomes the authenticator?
... what if a device has a lower level of protection?
Nick: strong ties to their plans around Sign-in-with-Apple
... passkeys can help with simplifying UX, esp in the enterprise context
Tim: I don't think enterprises will actually be first-movers here given
the recovery path
Felix: can these new auth be distinguished from on-device auths?
Nick: maybe if they register multiple certificates in the attestation?
... not sure how they deal with the counter?
Felix: it is set to 0 and doesn't increment
Dom: how should we think about these announcements in terms of the
agenda of this group, pushing broader adoption of Webauthn?
Nick: will this be a WebAuthn thing from Apple's perspective in the
first place?
Tim: we've been talking about a visual identity on password-less on internet
... but passkeys is specific to the iOS ecosystem
... in that ecosystem, it makes thing easier to implement
... it's no longer about devices, it's going to be around ecosystems
Felix: at a high level, this is a good thing to push WebAuthn to more
web sites
Tim: they're only talking about platform authenticators, they don't
mention security keys - might be worth attention
Nick: despite the Apple-centrism, it's still based on WebAuthn - that
might be worth highlighting
Tim: let's be careful about adopting "passkey" as a phrase to mention
password-less while we figure the broader story on terminology
Felix: you were saying "Apple passkey" as equivalent to "windows hello"?
Tim: in terms of being a platform-specific modality-generic authenticator
Nick: Safari has integration with FIDO2 authenticators outside of
passkeys that will need to be preserved
... this complicates the UX story for browsers

MDN updates
DavidT: in terms of MDN, any roadmap to adding the level 2 stuff there?
Dom: I'll try to get a timeline


MDS
Nick: how much documentation is there about using MDS? haven' seen much
of that
... how to get set up with it, description of the new data structures
Dom: main motivation?
Felix: mostly in regulated environments like enterprise
Dom: how good is the MDS developer experience? how importance is it in
terms of WebAuthn adoption in general?
Matthew: maybe not highest priority
Felix: it's very important in the FIDO architecture

Next meeting in 2 weeks on June 28

Received on Monday, 14 June 2021 18:04:05 UTC