W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2019

Re: [webauthn] Specify authenticator attachment for authentication operation (#1267)

From: Arshad Noor via GitHub <sysbot+gh@w3.org>
Date: Fri, 09 Aug 2019 19:45:38 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-520041450-1565379935-sysbot+gh@w3.org>
While I applaud the efforts of Relying Parties'/Service Providers' desire to make the user experience as easy and pleasant as possible when using FIDO2/WebAuthn, IMHO, the technology industry is failing the larger ecosystem by continuing to indulge in users' ignorance.

The vast majority of information secucrity problems are NOT because of a dearth of solutions, but that the technology industry refuses to invest in educating the ecosystem (and that universities graduate computer science students without requiring them to take even a single course on security - but, that's another story).  The combined net worth of all the companies in the FIDO Alliance and the W3C would probably exceed multiple trillions.  Yet, how much is really needed to create the right level of content to educate users about FIDO2 to get them to understand keys stored on their platform device vs. keys stored on an external device, and how to differentiate between the two?  

Humans have risen to the occasion to defy gravity and send other humans into space and bring them back; to drive automobiles, fly airplanes and pilot ships and to adapt to ATMs, electricity, telephones, typewriters, radios and the internet.  What makes FIDO2 so complex that they cannot be educated to understand the difference between platform resident keys and roaming keys on external authenticators?  What are we really solving by saving a few millions (among the trillions) in the education of an ecosystem to understand this and adapt to it?

I would encourage RPs to stop wasting their money and time dumbing down users, and actually make the effort to enlighten them with knowledge that not only enables them to simplify their lives, but actually protects them.  It might seem insurmountable currently, but in the context of what humans have achieved in the past, this isn't even a blip in human adaptability.  

Perhaps the conversation should be about what are the most effective ways to educate users about how to work with FIDO2?

GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1267#issuecomment-520041450 using your GitHub account
Received on Friday, 9 August 2019 19:45:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC