RE: Signal to end-user when using webauthn

Arshad, 

Would you please elaborate on the phishing concern here? Is it that a website may somehow find a different way to show UI and gather the user's biometrics (and if so, how would it do that)?

Similarly, what's the privacy issue? When would a biometric gesture be prompted by the browser without a WebAuthn call, and what would the website be hoping to gain?

There are of course ways for a website to compromise privacy by overusing WebAuthn - for instance a site may call getAssertion for no good reason, just to check whether a particular user is present (figuring that if they are like most users they will provide a biometric, just to make the prompt go away). But isn't that more about what is in the heart of the caller, and unlikely to be affected by the type of signal you propose?

-----Original Message-----
From: Arshad Noor [mailto:arshad.noor@strongauth.com] 
Sent: Tuesday, July 05, 2016 5:55 PM
To: public-webauthn@w3.org
Subject: Re: Signal to end-user when using webauthn

No, its not.  This is necessary not only for key-registration (where attestation comes into the picture) but for every authentication.

Users are going to be prompted for the biometric gesture each time a biometric Webauthn Authenticator is activated for use: registration, authentication and transaction confirmation.  If they do not see a standard signal when Webauthn is in use, not only do they NOT know if there is a privacy-leak, but they also become vulnerable to phishing attacks (since the platform is not giving off any signals to the contrary).

Arshad Noor
StrongAuth, Inc.

On 07/05/2016 04:18 PM, Anthony Nadalin wrote:
> Isn't this already implied by the attestations that may be part of the registration (which is out of scope of the W3C WebAuthn WG).
>
> -----Original Message-----
> From: Arshad Noor [mailto:arshad.noor@strongauth.com]
> Sent: Sunday, July 3, 2016 6:41 PM
> To: public-webauthn@w3.org
> Subject: Signal to end-user when using webauthn
>
> I'm not sure if this is part of this WG's purview, but as the WG focuses on standardizing Webauthn, I would like to suggest adding one more element to its scope: a signal to the end-user when the platform is using the Webauthn standard to strongly-authenticate the user.
>
> An informal case for this is documented in this brief blog entry:
> *Not all biometric authentication is equal* - https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2falesa.website&data=01%7c01%7ctonynad%40microsoft.com%7cc713a71937b848c356c608d3a3ac794a%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=7WkozRldsTeHy6HRLVcQ27tpPOI0VryBKbrWtCTuXWM%3d.

>
> Thank you.
>
> Arshad Noor
> StrongAuth, Inc.
>

Received on Wednesday, 6 July 2016 04:00:35 UTC