W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2016

Re: [webauthn] Silent Authn? clarification of bit 0 in AuthenticatorData

From: Anthony Nadalin via GitHub <sysbot+gh@w3.org>
Date: Wed, 19 Oct 2016 21:06:25 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-254940830-1476911183-sysbot+gh@w3.org>
**Developer running Test Suite**
Developer is running a test suite on his PC that is making API calls 
to a cloud service.
The Developer would like to enhance the security posture and use a 
second factor when making API calls to the cloud service.
The Developer has previously enrolled his FIDO device with the cloud 
service, using standard enrolment, and has enabled MFA for API calls.
MFA API calls require the standard cloud service authentication, and 
FIDO device
The test suite runs the same code a number of times for code coverage,
 and each time, the code requires a 2F from a FIDO device  to make the
 API call.
The user does not want to touch the U2F device on each invocation of 
the code in the test suite.
 
**Production Server**
A PC is a production server that is making regular API calls to a 
cloud service.
The admin enrolls the FIDO token with a set of credentials at the 
cloud service and enables MFA on API calls.
The admin installs the standard credentials on the PC, and inserts the
 FIDO device into the PC.
The admin launches the application that makes the API calls on the PC,
 and the application uses the standard credentials and the FIDO device
 to regularly authenticate with no user present.
 
 
In both of these cases, an attacker needs to acquire both the standard
 cloud credentials and the physical FIDO device to make API calls from
 a separate machine.


-- 
GitHub Notification of comment by nadalin
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/22#issuecomment-254940830 using
 your GitHub account
Received on Wednesday, 19 October 2016 21:06:32 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:23 UTC