Re: webauthn forces people to buy hardware

This is a continuation of a discussion that started in issue 1027:
https://github.com/w3c/webauthn/issues/1027

>The paragraph 5. says, that Autentication has to be used on a client
platform, which is in 4. defined as a client software and a client
*hardware** binding* - the software alone is not allowed to authenticate.

No, the term "client platform
<https://w3c.github.io/webauthn/#client-platform>" is defined as

>A client device <https://w3c.github.io/webauthn/#client-device> and a
client <https://w3c.github.io/webauthn/#client> together make up a client
platform <https://w3c.github.io/webauthn/#client-platform>.

and "client device <https://w3c.github.io/webauthn/#client-device>" as

>The hardware device on which the WebAuthn Client
<https://w3c.github.io/webauthn/#webauthn-client> runs, for example a
smartphone, a laptop computer or a desktop computer, and the operating
system running on that hardware.

These terms make no assumptions about whether the authenticator is
implemented in hardware or pure software.

>I think it is not a acceptable requirement for users to have to buy
hardware to be able to use webauthn. Or more precisely: To exclude persons
from webauthn who currently have no hardware to be able to be used by
webauthn, or to force them to buy one.

We do not expect most users to buy separate authenticator hardware in order
to use WebAuthn. It's more likely that most users will use the platform
authenticators integrated into their mobile devices and laptops for most
use cases, some of which will likely also be made available to other
devices as external authenticators via Bluetooth.

I hope this goes some way to alleviate your concerns.

/Emil

On Thu, Aug 9, 2018 at 5:44 PM Markus Schräder <
markus.schraeder@cryptomagic.eu> wrote:

> Hello Webautn,
>
> I want to talk about an ethical aspect of the currently webauthn paper.
>
> The paragraph 5. says, that Autentication has to be used on a client
> platform, which is in 4. defined as a client software and a client
> *hardware** binding* - the software alone is not allowed to authenticate.
> I think it is not a acceptable requirement for users to have to buy
> hardware to be able to use webauthn. Or more precisely: To exclude persons
> from webauthn who currently have no hardware to be able to be used by
> webauthn, or to force them to buy one.
>
> Please think about this, and specify in the standard that there be at best
> MUST be a way to fetch a public key without a hardward binding in
> background if there is none.
>
> Or ask: Is the other way, forcing your users to buy hardware to regain
> security, realy ethically an option to you?!
>
> Regards,
> Markus Schräder
>
> P.S.: Are there established alternatives?
>
> The alternative established easy(!) way, which we daily use, *without
> hardware binding* just in the client software, just got removed on chrome
> by removing the keygen-tag and is also going to be removed by firefox soon.
> There is a .p12 import alternative way on windows and mac - but not for
> firefox. So we especially need in firefox webauthn to able to allow users
> to get authentication security.
>
> The thing is: The removing from chrome does not hit many users, cause you
> can simply import on windows and macos a .p12 file and your're done. But
> firefox hat its own certification store so this will not help in this case!
> If firefox also removes the keygen-tag, and webautn will exlude persons
> without a bought hardware token, you are just taking a established security
> feature from them.
>
> --
>
> Markus Schräder
> Geschäftsführer
>
> CryptoMagic GmbH, Werner-von-Siemens Str. 6, 86159 Augsburg <https://maps.google.com/?q=Werner-von-Siemens+Str.+6,+86159+Augsburg&entry=gmail&source=g>, https://www.cryptomagic.eu
> Tel: 0821 / 217 009-0 (Durchwahl: -11), Fax: 0821/217 009-99
> Geschäftsführer: Markus Schräder
> Sitz der Gesellschaft: Augsburg; Registergericht: Amtsgericht Augsburg; Registernummer: HRB30402
> USt-ID: DE305330428, St-Nr: 103/123/80744
>
> --

Emil Lundberg

Software Developer | Yubico <http://www.yubico.com/>