Re: [webauthn] Clarify examples: 1.1.1. Registration / 1.1.2. Authentication from John Bradley on 2018-04-20 (public-webauthn@w3.org from April 2018)

From: John Bradley <jbradley@yubico.com>
Date: Fri, 20 Apr 2018 19:14:35 +0000
To: Adam Langley via GitHub <sysbot+gh@w3.org>
Cc: W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CAEY7Pj8UYy4XwFtLVWjqmBxH23JGnRpEZm0gAH6Ff69=moE6xQ@mail.gmail.com>

The direct connection via CTAP to the user agent is what enables phishing
protection, both by signing a hash of the origin and optionally the token
bindingID.

What you are suggesting with generic push notification would have different
and arguably worse privacy and security characteristics.

Platforms will have local (built in) authenticators as options for people.

NFC and USB just work for external CTAP authenticators.  BLE requires a
pairing but that should be once per device.

There are things that we can work on to improve BLE pairing.   Let's go
that direction rather than make the credentials phishable.

John B.

On Thu, Apr 19, 2018, 10:57 AM binaryanomaly via GitHub <sysbot+gh@w3.org>
wrote:

> Thanks.
>
> The reason why I propose this clarification is that because when I read
> the examples initially, I got the impression that this would work in a
> similar manner like "Google 2-Step Verification phone prompts"
> https://support.google.com/accounts/answer/7026266 but with Secure
> enclave / PKI technology protected by biometrics - which would be nice.
> This seems not to be the case though with the current version because we
> have "only" NFC, BLE and USB available.
>
> I could imagine though that from an end-user perspective it could be an
> advantage to have the protocol also available via a combination of TCP/IP
> backchannel and (push) notifications? as a trigger since not every device
> has NFC, BLE and plugging in USB is also a bit tedious/physically
> constrained.
> Webauthentication and CTAP seem to be generic enough that this extension
> could be possible on top of it. Having this standardized could leverage
> adoption since as of today you would have to do this custom for every OS
> where as a standard would scale better for implementation.
>
> I realize the last part is maybe a bit OT. It could be a possible
> extension for a future version or an Extension as in Chapter 9 though?
>
> --
> GitHub Notification of comment by binaryanomaly
> Please view or discuss this issue at
> https://github.com/w3c/webauthn/issues/874#issuecomment-382825740 using
> your GitHub account
>
>

Received on Friday, 20 April 2018 19:15:11 UTC