W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2017

Re: [webauthn] Pre-Registration Discovery

From: Arshad Noor <arshad.noor@strongauth.com>
Date: Thu, 6 Jul 2017 19:00:10 -0700
To: public-webauthn@w3.org
Message-ID: <27589a93-073b-643c-f7b5-c179f7dbd5d2@strongauth.com>
Hi Brad,

I'm not going to discuss the merits/demerits of "advertising" that I 
have a FIDO U2F Authenticator (its bad enough that business models are
so skewed already to profit on users' private information without users
having to advertise something about themselves); but I'd like to play
Devil's Advocate on this and ask the question.

What prevents the world's most well-known websites that support FIDO
from displaying, on their home-page or login page, that they support
strong-authentication?  And, making it the first choice for sign-ups?
Let's see how many well-known sites advertise that they use strong-
authentication to protect users on their home-page?

https://www.facebook.com/ - Nope; only has password.
https://accounts.google.com - Nope - password again.
https://github.com/login -  Whoops, a password...
https://www.dropbox.com/login - Yet another password.. and
https://login.salesforce.com/ - Guess what?  Password again.

Now, lets see what an obscure small business that builds an open-
source FIDO Certified server does with a couple of FIDO-enabled
applications it builds:

https://fsodemo.strongauth.com/fso/#/ - Hmmmm.. Where's the password?
https://fidodemo.strongauth.com/pnoc - What? The password is 2nd choice?

Brad, I'm not trying to ridicule your efforts at helping people use
strong-authentication; I applaud your efforts - and of all these
companies who have invested time and money to integrate FIDO into their
sites.  But, that's just NOT enough!!

Its not enough to claim on blogs, PR and mailing lists that a site
supports strong-authentication.  You need to "shove it into their faces"
that this is what you have now, and this is for *their* benefit.

While I recognize that the business models of these companies depend
very much on making the sign-up and login process as painless as
possible, I can only imagine the amount of money that is wasted in
protecting these sites from constant attacks because of passwords.
I don't have the data, but I am willing to make a small wager that
FIDO-enabled sites that do not make strong-authentication the first
and default choice for sign-ups and logins, are reducing their
overall profits by not educating people about FIDO when they first
land on these home pages.

IMHO, it is *not* enough to silently protect users - it is imperative
you educate them first.  Its the same old story about "giving someone
a fish to eat, or teaching them how to fish".

Keep up the good work though; every little bit helps - and thanks for
reading this.

Arshad Noor
StrongAuth, Inc.

On 07/06/2017 05:50 PM, Brad Hill via GitHub wrote:
> hillbrad has just created a new issue for https://github.com/w3c/webauthn:
> == Pre-Registration Discovery ==
> Greetings, WebAuthN folks.
> Facebook has now had U2F available as a second-factor authentication 
> technology for not quite six months.  I'd like to share some challenges 
> we have and are encountering with our deployment in hopes that these 
> might be addressed by the WebAuthN work.
> Specifically, I want to raise the issue that the lack of 
> pre-registration discovery presents a major obstacle to both reach and 
> usability.
> In terms of reach, only a small number of people actually have U2F 
> devices.  We would like to be able to enroll as many active users of 
> these devices as possible, and expect that most people who are both U2F 
> and Facebook users would like to use their devices with us. And yet, 
> many people who use U2F don't know that Facebook supports it. If this is 
> the case for the highly technical segment of people using U2F today at 
> one of the world's most well-known websites, imagine how difficult this 
> will be in the tail of services that may support Web AuthN.
> It would be very helpful if, the first time a Web AuthN capability is 
> used in a user agent, the individual was presented with the option to 
> advertise that they have and use this capability, so that other services 
> that support it can promote it to the user or prompt them to set it up.
> A closely related problem is that giving good instructions to an 
> individual registering their authenticator is very difficult with no 
> information about how that authenticator is exposed or what ceremony is 
> necessary to use it.  Facebook currently generically instructs people to 
> insert their authenticator into the USB port of their computer, but 
> those instructions are flatly wrong for a BTLE attached device, or a U2F 
> capability integrated into the chipset of their device but exposed over 
> the USB bus.  Some of this information appears to become available as 
> selectors in the WebAuthN API after an authenticator has already been 
> registered, but not at the most critical time - when the person is first 
> setting it up.
> Again, it would be nice if there was an opt-in possible to let people 
> advertise that they have an authenticator, and its basic capabilities, 
> so that services which support it can present an appropriate 
> registration experience.
> Please view or discuss this issue at 
> https://github.com/w3c/webauthn/issues/503 using your GitHub account
Received on Friday, 7 July 2017 02:00:47 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:26 UTC