W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2018

RE: webauthn forces people to buy hardware

From: Sarangdhar, Nitin V <nitin.v.sarangdhar@intel.com>
Date: Thu, 9 Aug 2018 17:31:27 +0000
To: Markus Schräder <markus.schraeder@cryptomagic.eu>, John Bradley <ve7jtb@ve7jtb.com>, "public-webauthn@w3.org" <public-webauthn@w3.org>
Message-ID: <880BD5D76227CF4D9E636AF77C85E1D3869EC680@fmsmsx115.amr.corp.intel.com>
TPM is integrated inside Intel HW which is used for protection of HW keys and hence as long as the PC ships in TPM enabled mode there is no need to purchase additional HW to meet this requirement.

Having said this, a pure SW based authenticator is allowed by FIDO security level 1.

Nitin Sarangdhar
Sr. Principal Engineer
(503)-264-6140

From: Markus Schräder [mailto:markus.schraeder@cryptomagic.eu]
Sent: Thursday, August 09, 2018 10:20 AM
To: John Bradley <ve7jtb@ve7jtb.com>; public-webauthn@w3.org
Subject: Re: webauthn forces people to buy hardware


Hi John,

it is understandable that a vendor of hardware tokens, here yubico, likes the idea that - at least some - people are force to buy a hardware from them.

I think a paper from/for webbrowser vendors should not support this behavior and makes clear that a only software authenticator MUST be implemented so this does not lead to a abuse of power by forcing the users to buy this hardware.

You can say that this cases you mentioned makes this problem away - I just do not think so. Any user who gets forced to buy this hardware, without any need, is in my eyes a user too much. There is just no need to not allow this, if you show the user a warning - maybe every login - that this could be more secure by a hardware token. But to not ensure that the user can do without - already in the paper - is for me abusement of your power.

A paper should in my eyes also mention this ethical aspect and not just skip this by cases where this is not a problem. I think nobody should support this interest of companies like yubico, also not for security - what by the way is not given at all: Also a hardware token do not prevent man-in-the-middle attacks. It only stops copying keys - but this is another disussion.

Regards,
Markus Schraeder

On 09.08.2018 18:39, John Bradley wrote:
Windows Edge supports platform a platform authenticator unlocked by Windows Hello biometrics or by a pin.   At some point the OS API for the platform authenticator will be opend up to other browsers.   I beleve the keys are stored in the TPM.

Chrome has a platform authenticator behind a flag on OSX using the touch bar,  and coming for Android.

Mozilla has some sort of beta test authenticator you can turn on with a flag.

The question for cross platform clients is where to store the private keys.
Based on attestations RP should be able to tell if the keys are in hardware or in software.

Nothing prevents an entirely software authenticator.  It however may be treated differently by some RP.

Our hope is that most devices will support some built in secure key storage.

There is a separation between the software client that is part of the browser and the authenticator.  However the authenticator has more options than just a separate hardware device.

Regards
John B.

Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10

From: Emil Lundberg<mailto:emil@yubico.com>
Sent: Thursday, August 9, 2018 12:28 PM
To: Markus Schräder<mailto:markus.schraeder@cryptomagic.eu>
Cc: public-webauthn@w3.org<mailto:public-webauthn@w3.org>
Subject: Re: webauthn forces people to buy hardware

This is a continuation of a discussion that started in issue 1027: https://github.com/w3c/webauthn/issues/1027

>The paragraph 5. says, that Autentication has to be used on a client platform, which is in 4. defined as a client software and a client hardware binding - the software alone is not allowed to authenticate.

No, the term "client platform<https://w3c.github.io/webauthn/#client-platform>" is defined as

>A client device<https://w3c.github.io/webauthn/#client-device> and a client<https://w3c.github.io/webauthn/#client> together make up a client platform<https://w3c.github.io/webauthn/#client-platform>.

and "client device<https://w3c.github.io/webauthn/#client-device>" as

>The hardware device on which the WebAuthn Client<https://w3c.github.io/webauthn/#webauthn-client> runs, for example a smartphone, a laptop computer or a desktop computer, and the operating system running on that hardware.

These terms make no assumptions about whether the authenticator is implemented in hardware or pure software.

>I think it is not a acceptable requirement for users to have to buy hardware to be able to use webauthn. Or more precisely: To exclude persons from webauthn who currently have no hardware to be able to be used by webauthn, or to force them to buy one.

We do not expect most users to buy separate authenticator hardware in order to use WebAuthn. It's more likely that most users will use the platform authenticators integrated into their mobile devices and laptops for most use cases, some of which will likely also be made available to other devices as external authenticators via Bluetooth.

I hope this goes some way to alleviate your concerns.

/Emil

On Thu, Aug 9, 2018 at 5:44 PM Markus Schräder <markus.schraeder@cryptomagic.eu<mailto:markus.schraeder@cryptomagic.eu>> wrote:

Hello Webautn,

I want to talk about an ethical aspect of the currently webauthn paper.

The paragraph 5. says, that Autentication has to be used on a client platform, which is in 4. defined as a client software and a client hardware binding - the software alone is not allowed to authenticate.
I think it is not a acceptable requirement for users to have to buy hardware to be able to use webauthn. Or more precisely: To exclude persons from webauthn who currently have no hardware to be able to be used by webauthn, or to force them to buy one.

Please think about this, and specify in the standard that there be at best MUST be a way to fetch a public key without a hardward binding in background if there is none.

Or ask: Is the other way, forcing your users to buy hardware to regain security, realy ethically an option to you?!

Regards,
Markus Schräder

P.S.: Are there established alternatives?

The alternative established easy(!) way, which we daily use, without hardware binding just in the client software, just got removed on chrome by removing the keygen-tag and is also going to be removed by firefox soon. There is a .p12 import alternative way on windows and mac - but not for firefox. So we especially need in firefox webauthn to able to allow users to get authentication security.

The thing is: The removing from chrome does not hit many users, cause you can simply import on windows and macos a .p12 file and your're done. But firefox hat its own certification store so this will not help in this case! If firefox also removes the keygen-tag, and webautn will exlude persons without a bought hardware token, you are just taking a established security feature from them.

--

Markus Schräder

Geschäftsführer



CryptoMagic GmbH, Werner-von-Siemens Str. 6, 86159 Augsburg<https://maps.google.com/?q=Werner-von-Siemens+Str.+6,+86159+Augsburg&entry=gmail&source=g>, https://www.cryptomagic.eu


Tel: 0821 / 217 009-0 (Durchwahl: -11), Fax: 0821/217 009-99

Geschäftsführer: Markus Schräder

Sitz der Gesellschaft: Augsburg; Registergericht: Amtsgericht Augsburg; Registernummer: HRB30402

USt-ID: DE305330428, St-Nr: 103/123/80744
--

Emil Lundberg

Software Developer | Yubico<http://www.yubico.com/>






--

Markus Schräder

Geschäftsführer



CryptoMagic GmbH, Werner-von-Siemens Str. 6, 86159 Augsburg, https://www.cryptomagic.eu


Tel: 0821 / 217 009-0 (Durchwahl: -11), Fax: 0821/217 009-99

Geschäftsführer: Markus Schräder

Sitz der Gesellschaft: Augsburg; Registergericht: Amtsgericht Augsburg; Registernummer: HRB30402

USt-ID: DE305330428, St-Nr: 103/123/80744
Received on Thursday, 9 August 2018 17:32:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:54 UTC