- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Mon, 8 Mar 2021 20:05:11 +0100
- To: public-webauthn-adoption@w3.org
Hi, Here are the notes I took during our meeting today; extracting the specific actions items: * [ongoing] ACTION: Dom to suggest a way forward on tracking platform-specific implementations considerations * ACTION: Dom to help seed WebAuthn2 in MDN (BCD + docs) * ACTION: Felix to look into gotchas they might be aware of * ACTION: Nick to investigate what info browser implementors have on platform authenticator * ACTION: Felix to document use research on the need to use platform name * ACTION: Dom to share his research on possible coordinated efforts around WebAuthn in StackOverflow # Intros Welcoming Travis Andreson, Comcast: product manager focused on identity space; ; lots of research on WebAuthn after it landed in iOS; interesting use case for Comcast Welcoming David Waite from Ping Identity, with a FIDO-based product, interested in seeing improvements to UX # WebAuthn.How status update https://github.com/webauthn-adoption/practical-webauthn Nick: looking for help on crypto stuff # Conformance test suite https://github.com/webauthn-adoption/webauthn-conformance # WebAuthn browser support documentation * [ongoing] ACTION: Dom to suggest a way forward on tracking platform-specific implementations considerations * ACTION: Dom to help seed WebAuthn2 in MDN (BCD + docs) * ACTION: Felix to look into gotchas they might be aware of Travis: is there a place to find info on what browsers-specific challenges may arise? Nick: Yubico has good info https://developers.yubico.com/WebAuthn/WebAuthn_Browser_Support/ ; canIUse doesn't have enough granular data (will be compounded by WebAuthn Level 2); discoverable credentials have different attributes (discoverable, encouraged) that can't really be well represented in canIUse John: WebAuthn Level 2 has been approved to PR, AC review until March 26 # MOOC Updates on WebAuthn MOOC for W3Cx John: basic outline of entire course; detailed outline of module 1 is helping us figure out the overall plan; we'll call on CG participants to take the course as testers. It's emerging there will be material for 2 courses # Naming platform authenticators - https://github.com/webauthn-adoption/practical-webauthn/issues/6 Nick: support to the idea of being able to name platform authenticators; privacy means protecting ahead-of-time attestations, but there may be room for giving information on availability of non-platform (i.e. roaming) authenticators; WebAuthn WG may be open to this if we can build support for it; would like to hear more about the expected usage of this Felix: thanks for having looked into this; "sign-in with FIDO" aims to hide some of this complexity, but FIDO is not a well-known name at this point, and naming this the right way creates a significant UX barrier in our user testing - the goal would be enable a more concrete naming of the platform authenticator on the device in use ; it's easy on Windows (Windows Hello), not so much on iOS (TouchId, FaceId), likewise complicated on MacOS Nick: we're facing the same issue DavidW: distinct issues: UX vs lack of platform-level API on Apple OSes Nick: the .well-known mechanism in Android allows to give native app a UI selector for authenticators DavidW: similar to non-modal UI in Web browsers; this could build into a login-picker that integrated federated login, etc Matthew: the current brower UI offloads the privacy concern to the browser; RPs want at least browsers to be more reliable in showing the name of the authenticator that is available Matthew: an important question is whether browsers themselves can determine the name of platform authenticator https://github.com/microsoft/webauthn/blob/master/webauthn.h ACTION: Nick to investigate what info browser implementors have on platform authenticator ACTION: Felix to document use research on the need to use platform name DavidW: on iOS/MacOS, Chrome built its own WebAuthn integration without direct OS support for TouchId/FaceId (which differents in Windows or Android which handles entirety of talking with authenticators https://github.com/microsoft/webauthn/blob/master/webauthn.h ) Nick: CABLe is also part of the long term strategy in this space DavidT: you get consistent views on Windows, on Android DavidW: CABLe is provided separately from those though Felix: I've seen an Apple engineer mentioning moving the APIs to platform level # StackOverflow DavidT: the notion of managing presence on StackOverflow in addition to the fido-dev google groups Dom: very supportive - SO very useful platform for outreach; haven't seen a lot of webauthn questions Nick: +1 on the value; not sure if there is much to do if no much questions though DavidT: maybe a bootstrap issue; value in curating content ACTION: Dom to share his research on possible coordinated efforts around WebAuthn in StackOverflow # Next meeting * proposal to use Google meet instead of our current Webex * next call on March 22 - US will have switched to Summer time, Europe not yet - meeting will stick to US time
Received on Monday, 8 March 2021 19:05:16 UTC