W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2018

Draft: WebAuthn recovery extension

From: Emil Lundberg <emil@yubico.com>
Date: Mon, 22 Oct 2018 12:19:53 +0200
Message-ID: <CANMnvkwUi585b=oiFEvRkZgh3rp+ezAkMsoL2f+q9mOzXgt1EA@mail.gmail.com>
To: W3C Web Authn WG <public-webauthn@w3.org>
Cc: Christopher Harrell <cnh@yubico.com>, Dain Nilsson <dain@yubico.com>
Hi all,

Here is our current draft of the recovery extension idea I presented at
TPAC today. We don't yet feel comfortable sharing the details of the crypto
in a public document, since we haven't yet had it properly vetted, but
you're welcome to come ask and I can give you an informal outline of our

Extension draft:
Presentation slides:

I noted some comments during the discussion following the presentation:

- Say I have main authnr A, backup authnr B. Let's say B is much less
capable than A. Lose A. Now I buy a new main authenticator C, and want B to
still be a backup for C instead of using C as a backup for B.
  - This is currently doable, but requires recovering with B at every RP,
then registering C at every RP. Would it be possible to "forward" recovery
from B to C, so I only need to "associate" B with C and then recover with C

- Make the `generate` action apply to create() as well. There's no
guarantee that get() will ever be called, but there is a guarantee that
create() has been called at least once.

- Provide transports in `generate` so that CaBLE works for recovery ceremony

I look forward to your additional comments and questions.


Emil Lundberg

Software Developer | Yubico <http://www.yubico.com/>
Received on Monday, 22 October 2018 10:20:27 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:35 UTC