Re: [webauthn] Feature request: Add API for android finger print reader

The Web Authentication working group is probably the right place to ask this, but I think this is out of scope for the Web Authentication spec. Web Authentication is an API specifically for creating and accessing public key credentials; biometrics is a separate concern. Web Authentication does specify an API for verifying the identity of the user, namely the `UV` flag in the [Authenticator Data][authdata], but it gives no indication of how that verification was made. That information could be available in the attestation certificate in the credential registration, but it would be specific to the authenticator model and is also outside the current scope of the spec.

Even if you don't use Web Authentication I would advise against using fingerprints directly as the proof of identity, because fingerprints are [easy][easy] [to][to] [copy][copy] and difficult to replace. In fact, fingerprints are arguably worse than passwords in this regard. Web Authentication solves this issue by allowing fingerprints, and/or other biometrics, to be used as a client-side lock, but the fingerprint is intentionally never visible to the Relying Party (server). In this way the actual credential, the public key, can be revoked and replaced if the authenticator is lost or stolen. It also prevents a security breach at one cloud service from leaking fingerprint credentials that could be replayed to forge logins elsewhere.

[authdata]: https://www.w3.org/TR/webauthn/#sec-authenticator-data
[easy]: https://www.youtube.com/watch?v=bp-MrrAmprA
[to]: https://www.wikihow.com/Fake-Fingerprints
[copy]: http://www.instructables.com/id/How-To-Fool-a-Fingerprint-Security-System-As-Easy-/

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/659#issuecomment-338475737 using your GitHub account

Received on Sunday, 22 October 2017 13:03:45 UTC