W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2018

[webauthn] User agent / key management [authenticator] interoperability requirements?

From: mhano via GitHub <sysbot+gh@w3.org>
Date: Wed, 01 Aug 2018 09:50:11 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-346527863-1533117010-sysbot+gh@w3.org>
mhano has just created a new issue for https://github.com/w3c/webauthn:

== User agent / key management [authenticator] interoperability requirements? ==
One of the primary challenges with previous asymmetric cryptography browser based authentication schemes has been key management (and notably keys being locked into devices/applications).

#### Some of the Historic Issues:
- Keys lost on OS upgrade / re-installs / wipes / device loss.
- Keys not usable across form factors (mobile app vs desktop browser).
- Keys not usable across devices from different walled ecosystems (apple, google etc.).
- Keys not usable across user-agents / applications.
- Security of keys compromised by malware on devices (sure addressable if user is going to use an external USB key store but these are problematic on many form factors).

Has consideration been given to requiring that user agents support a minimum set of standard APIs for connecting to external software/hardware authenticators / key stores (such that key managers [authenticators] are made available to the user agent via a simple standardised minimum set of APIs / easy user registration).

Note, none of this requires sharing private key material between devices (this is simply about ensuring that 'user agents' can connect to compliant 'authenticators' in standardised ways rather than allowing user agent vendors to support this spec by simply extending their existing walled-ecosystem password/key-management solution).

## Example use cases / APIs

### Network API
Require that user agents support a Network API which requests authentication (where supported by platform i.e. all network connected devices).
- e.g. Allow user to authorise website login on a desktop device by biometric authentication / presence confirmation / pin entry / etc. on a mobile device (obviously dependant on mobile device app push notifications etc.)

### Local Software API
Require that user agents allow registering of key manager locally. I.e. a conformant 3rdp party password manager (where supported by platform).
- e.g. Key manager could be a local password manager (used across browsers / apps) or software that defers authentication to a more trusted device (i.e. mobile / specialised device etc.) via either a network or local (physical / USB / Bluetooth / NFC) communication.

## Why

Unless the specification mandates and standardises the minimum level of support for external key management there is potentially a risk that these keys will be locked into single platforms like passwords are today (chrome vs safari vs msie password management solutions).

## References

[Ref: 2.2:](https://www.w3.org/TR/webauthn/#conforming-authenticators) As described in ยง1.1 Use Cases, an authenticator may be implemented in the operating system underlying the User Agent, or in external hardware, or a combination of both.

[Ref: 5.1.3:](https://www.w3.org/TR/webauthn/#createCredential) During the above process, the user agent SHOULD show some UI to the user to guide them in the process of selecting and authorizing an authenticator. 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1020 using your GitHub account
Received on Wednesday, 1 August 2018 09:50:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:53 UTC