W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2019

Re: FacetID equivalent for WebAuthn?

From: Marius Scurtescu <marius.scurtescu@coinbase.com>
Date: Thu, 18 Jul 2019 17:49:12 -0700
Message-ID: <CABpvcNv6GZqZ4C793+0G_fD_htiuX0EBEmRPewXWnR-h37ju3A@mail.gmail.com>
To: Adam Langley <agl@google.com>
Cc: W3C Web Authn WG <public-webauthn@w3.org>
Thanks again Adam.

Is this the iframe spec you are referring to:
https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance

The situation looks pretty bleak from where I stand. I am surprised that
this is not coming up as an issue. Was there a concrete reason to stop
supporting FacetID? Lack of interest?


On Thu, Jul 18, 2019 at 3:59 PM Adam Langley <agl@google.com> wrote:

> On Thu, Jul 18, 2019 at 3:08 PM Marius Scurtescu <
> marius.scurtescu@coinbase.com> wrote:
>
>> How is a multi-domain deployment supposed to work with WebAuthn? And by
>> multi-domain I mean domains that don't match: example1.com and
>> example2.com.
>>
>> One solution that was suggested is to always redirect to the IdP, so
>> there is not need for multiple domains. That might work for login, but when
>> WebAuthn is used as a re-authentication challenge then a full page redirect
>> becomes very difficult to implement, especially for an existing application.
>>
>
> WebAuthn credentials are tied to an RP ID, which is a domain name. There
> is not support for “groups” of domains being acceptable for a credential.
>
> Redirecting (with suitable care) is possible, somewhat similar to OAuth.
> There is also (currently) unimplemented spec for granting iframes WebAuthn
> abilities, in which case postMessage can be used. Implementation priorities
> are set by need and, currently, nobody is making a fuss about the lack of
> iframe support so it's not on the roadmap.
>
>
> Cheers
>
> AGL
>
Received on Friday, 19 July 2019 00:49:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC