W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2016

[webauthn] WebAuthn available to Workers? aka "silent authentication"

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Wed, 14 Sep 2016 16:27:03 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-176954995-1473870421-sysbot+gh@w3.org>
equalsJeffH has just created a new issue for 

== WebAuthn available to Workers?  aka "silent authentication" ==
As I recall, we've verbally discussed the question of whether the 
WebAuthn API ought to be available to {service, web}workers (aka 
"Workers") but we do not have an issue tracking it as yet AFAICT, so 
here it is. 

The default argument, as I recall, against worker use of WebAuthn is a
 UX one: authenticators, upon receiving a makeCredential() or 
getAssertion() call will signal to the user in some fashion, and since
 workers are asynchronous tasks, this may seem to the user like coming
 out of the blue and be confusing. 

Though, there are a couple of authenticator-behavior notions that do 
not always involve annunciation to the user (see also [1]):

1. for an already-registered authenticator, and an 
already-authenticated session, the RP may wish to 
periodically/asynchronously make a getAssertion() request in order to 
ascertain the continued presence of the same 
device+authenticator+privateKey as was present at the beginning of the
 session, and to do so, using subsequent getAssertion() requests 
without user interaction (because that can become tiresome and 
distracting to the user).   There may be a timeout associated with the
 session which upon expiry causes appropriate user interaction upon a 
subsequent getAssertion() request.  Let's term this "silent 

2. for a not-yet-registered so-called "silent authenticator" (the 
authnr has no provision for user interaction itself), and a session 
already authenticated  (either via webauthn or legacy means), the RP 
can send a makeCredential (aka register) request, the user is prompted
 (by the RP or platform) for consent and informed of that the nature 
of this authnr is to not (itself) prompt the user for registration or 
authentication events. If the user gives consent, the authnr is 
registered, and subsequently responds to getAssertion() requests from 
the RP without user annunciation. 

So, if there are use cases where an RP's webapp wishes to employ 
workers, say, to do some sort of background processing, and that RP 
wishes to employ [periodic|asynchronous] getAssertion() requests 
without user interaction (during some allowed time interval perhaps) 
to aid assurance of overall session context continuity, being able to 
employ (1) above may be useful.  

[1] See also the "silent authenticator" notion:
>* ASMs SHOULD ensure that applications cannot use silent 
authenticators for tracking purposes. ASMs implementing support for a 
silent authenticator MUST show, during every registration, a user 
interface which explains what a silent authenticator is, asking for 
the users consent for the registration. Also, it is RECOMMENDED that 
ASMs designed to support roaming silent authenticators either
>    - Run with a special permission/privilege on the system, or
>    - Have a built-in binding with the authenticator which ensures 
that other applications cannot directly communicate with the 
authenticator by bypassing this ASM.

> For silent authenticators, the key handle MUST never be stored on a 
FIDO Server, otherwise this would enable tracking of users without 
providing the ability for users to clear key handles from the local 

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/199 using your GitHub account
Received on Wednesday, 14 September 2016 16:27:11 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:22 UTC