Re: [webauthn] User agent / key management [authenticator] interoperability requirements? from Emil Lundberg via GitHub on 2018-08-09 (public-webauthn@w3.org from August 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 09 Aug 2018 12:42:19 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-411743716-1533818538-sysbot+gh@w3.org>

I'd say plenty of consideration has been given to these concerns. Some main topics:

**Key loss / account recovery**

1. Individual credentials are designed to be narrowly scoped, disposable and replaceable, rather than ubiquitous and long-lived. We expect users to have more than one credential registered to their account; this way losing one does not lock them out of the account, and the lost credential can simply be revoked and replaced.

**Key mobility**

2. External ("roaming") authenticators are explicitly designed for the use case of using the same credential across multiple client devices - or for initial login to a new client device before a platform credential can be created there - and may implement several transport modes to support a wide variety of client devices (e.g., USB-A for desktops/laptops and NFC for mobile devices).
3. WebAuthn is designed to be compatible with the [FIDO Client to Authenticator Protocol (CTAP)][ctap] as a standardised protocol for external authenticators. Although WebAuthn doesn't actually _require_ implementers to support CTAP, at least Chrome, Firefox and Edge are implementing it.
4. Client platforms may make their platform authenticators available to other client devices - for example, Google is interested in making the platform authenticators on Android smartphones available as roaming authenticators over Bluetooth. This will also use the CTAP protocol for communication between the smartphone and the other client device.

We don't provide any standardised API for software-based authenticators to integrate with, however, although such things should be possible to do as browser plugins.

I don't think the "Network API" example would work with WebAuthn, since there are no central servers for a separate device to be connected to to listen for authentication requests. It could be doable with a third-party browser plugin, server and listener app, but nothing we could feasibly standardise at this point. The "mobile device as bluetooth authenticator" use case solves much the same things, though.

[ctap]: https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-client-to-authenticator-protocol-v2.0-rd-20170927.html

--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1020#issuecomment-411743716 using your GitHub account

Received on Thursday, 9 August 2018 12:42:21 UTC