Re: [webauthn] What's this SPEC for?

>1. The user needn't to remember so many usernames and passwords.

Web Authentication hopes to solve that as well. It will be up to each website to choose whether it still wants to use a username and/or password in addition to a Web Authentication 2nd factor, but it's perfectly possible for a website to use only a Web Authentication credential to identify and authenticate a user. From the user's perspective you could have a single PIN-protected security key on your keychain, and that security key is your "username" and "password" for as many websites as you want.

>He/She just need remember a uuid, everything is done. One uuid can be used in every website.

Sorry, but I don't think asking people to remember 16 random bytes would be feasible. Even if it was, this would not be significantly better than a standard password. If the user is tricked to reveal their UUID - by a phishing attack, for example - then all their accounts everywhere on the web are taken over. By contrast, a Web Authentication credential cannot be stolen in this way because the private key never leaves the authenticator.

>2. Different PCs or different browsers needn't to sync data.

They don't need to sync anything to use Web Authentication credentials either. A platform credential will of course only be usable on a single device, but an external authenticator can be used on any device.

>3. Register an account will be very easy.

It will be very easy for the user with Web Authentication as well - arguably easier than registering an account with a password, in the simplest case. One possible example:

1. User visits example.com on their phone.
2. example.com asks if the user wants to create an account.
3. User clicks "yes".
4. Browser asks the user to type a PIN or scan their fingerprint.
5. example.com confirms that the account has been created and logs the user in.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/820#issuecomment-368939693 using your GitHub account

Received on Tuesday, 27 February 2018 16:33:29 UTC