W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2018

Re: [webauthn] None hardware/device option - as for ssl client certificates

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 08 Aug 2018 15:12:57 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-411441722-1533741175-sysbot+gh@w3.org>
The spec is indeed written with hardware-backed authenticators (external or built-in) as the main concern, but WebAuthn does not in any way forbid integration of purely software-based authenticators. The "client platform" terminology mentioned above has nothing to do with this, it's just a term that allows us to concisely refer to the browser, OS and client computer as a whole.

It's perfectly possible for browsers or browser plugins to provide support for software authenticators, although WebAuthn provides no standardised API for doing that. For example you could implement a "bridge" that uses a TLS certificate/key file as its backend - although such an implementation would likely break the privacy expectations on authenticators since a minimal implementation would likely use the same public key for every RP.

>I also think that it is just unethical to force users to buy hardware to get security [...]

Again, note that we expect that TPMs and secure enclaves built into laptops, mobile devices etc. will be usable as WebAuthn authenticators. We do not expect every user to buy an external authenticator - most will likely just use the ones already built into their iPhones and Android devices.

The main drawback of software authenticators is that they cannot produce meaningful attestation statements, since they cannot acquire and store an attestation key without exposing it to the operating system (unless the software authenticator itself is part of the OS, of course). Be it external or built-in hardware, but some hardware that can safely transport an attestation key is required for attestation to work, and attestation is required for use cases where the RP must fulfill certain security guarantees - for example government and financial institutions, which may have such requirements imposed upon them by law.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1027#issuecomment-411441722 using your GitHub account
Received on Wednesday, 8 August 2018 15:13:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:54 UTC