Re: [webauthn] WebAuthn available to Workers? aka "silent authentication"

I may not have understood all the requirements, but from the looks of it, there are some scenarios where user need to authenticate first but can do silent authentication there after for a certain period of time or regularly.

Possibly there can be another scenarios where RP do not have a problem having silent signatures all together and they do not need that first user verified/presence required assertion. 

Another set of scenario can be where RP need the guarantee that every signature requires user presence and/or user verification. This is the current default in terms of user presence requirement and provides assurance to the RP that no malware can get silent signatures from the web. This is the requirement for high value keys.

Solution needs to comprehensive for all above requirements although I do not understand scenarios and use cases for it. This is complex and only way I can think of is specifying this behavior for the key at the time of authenticatorMakeCredential and the ability to query this information for the platfrom from the authenticator. 

Will all that said, silent signatures from web is a super-cookie for us and is very very dangerous and it brings more harm than good for the whole ecosystem where many RP's will try to think it as a feature without understanding the security guarantees of the choices they are making for their keys. Some RP's maybe willingly try to track user on the web with economic and/or other not good intentions. Being able to get silent signatures basically means that user has its device plugged in to the system or is near by. Cross scripting attacks are also very real from browser pages.

In my view, its not worth it.


-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/199#issuecomment-341610771 using your GitHub account

Received on Friday, 3 November 2017 02:38:42 UTC