- From: J.C. Jones via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 May 2018 17:43:14 +0000
- To: public-webauthn@w3.org
This is similar to #904 in that it provides guidance to websites, but unlike #904 the data being asked for here isn't derivable by user agent matching. (`isUserVerifyingPlatformAuthenticatorAvailable` mostly is keeping people from hard-coding that certain versions of Windows or Android have built-in platform authenticators) This information would be a Boolean of "does the User Agent believe that this user is likely to be able to complete a WebAuthn transaction", which would be a new fingerprinting Boolean. As a fingerprint, this would be pretty powerful: It succinctly identifies security-conscious users. I would find that very helpful if I was deciding whether to download and run a malicious script, for example. Certainly if this were set, I might not want to try and phish a user, as the phishing might run into a strong 2FA mechanism. Our normal approach to a powerful fingerprint like this would be to make it per-origin, but that would largely defeat the purpose of the change, as it would then be doable using cookies. Note: Tor Browser would want to be able to lie about this, and perhaps also Incognito / Private Browsing modes. They'd need to lie with the majority to not identify those modes or browsers, so application developers would need to offer a way to get into a WebAuthn flow even if `isThereAnAuthenticator` returns `False`. ### Implementation thoughts I certainly see the value of what this issue is asking for. Just to get into the implementation weeds a bit, in Firefox we could implement this two ways: 1) We set a bit if the user's profile has ever completed a WebAuthn transaction (make credential or get assertion). When `isThereAnAuthenticator` is called, we return that bit. **Pro**: It's simple to implement. **Con**: It would return `False` at least once, even if a security key were plugged in. 2) We monitor USB HID for a compatible security key. If one is ever detected, we set a bit in the user's profile. When `isThereAnAuthenticator` is called, we return that bit. **Pro**: It corrects the situation where we return `False` when it's demonstrable that a security key is connected. **Con**: It requires a periodic check of the USB bus, which is currently not monitored in Firefox except during WebAuthn transactions. It also doesn't map well to wireless security keys, which would still be `False` until actually used. -- GitHub Notification of comment by jcjones Please view or discuss this issue at https://github.com/w3c/webauthn/issues/920#issuecomment-393253949 using your GitHub account
Received on Wednesday, 30 May 2018 17:43:16 UTC