Re: [webauthn] Authenticator session not possible for BLE

Thank you. 

The main problem that this approach does not address is that for most authenticators, it isn't possible to see which operation you are approving. So even if there is multiple session support and the clients know which session the authenticator is currently handling, the user does not. I consider this a security issue more than a usability issue.

If there are two clients trying actions simultaneously, it might not even be possible for the user to see this. On USB, there would be, at best, a slight hesitation in the blinking of the authenticator between two operations (perhaps even hidden by his finger during UP). The user is likely to assume his touch failed and touch again, approving both. For NFC, it might very well be that your card is in the NFC field long enough for both operations to complete (and card presence is sufficient for UP in the NFC case).

I haven't tried in a while but at some point Chrome terminated all U2F sessions if the browser window lost focus, which is a practical solution to the issue.

As for BLE, if two clients collide, both will fail: a much better solution from a security point of view. As for usability, this is only a problem if the user initiates two logins at the same time and the client can detect this by the error that is returned. There are several well-understood strategies to handle such collisions.

I believe it would be better to change the session wording here in WebAuthn to allow for session collision to fail both sessions than trying to push this down into CTAP. It will require invasive changes to the BLE CTAP protocol to add support this.


-- 
GitHub Notification of comment by jovasco
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/649#issuecomment-337237611 using your GitHub account

Received on Tuesday, 17 October 2017 13:49:58 UTC