Re: FacetID equivalent for WebAuthn? from John Bradley on 2019-07-19 (public-webauthn@w3.org from July 2019)

From: John Bradley <jbradley@yubico.com>
Date: Thu, 18 Jul 2019 20:41:57 -0500
To: Marius Scurtescu <marius.scurtescu@coinbase.com>
Cc: Adam Langley <agl@google.com>, W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <CAEY7Pj8KQDBELnPxrUNWVHsMhNQQw8tjKT66ZgCKu8MhHAjRVw@mail.gmail.com>

There was an effort to simplify the spec.   FacitID was a victim of that.
Dirk can fill in the details.

The payments people are wanting the iframe solution, for 3dsecure and open
banking.

I think we do need a way to delegate domain A to act as a proxy for domain
B.

I would prefer to do it in a more granular way than was done in FacitID.

Some of us kicked some ideas around at the last Fido plenery.  I think it
could be done in WebAuthn with existing CTAP2 authenticators.

John B.

On Thu, Jul 18, 2019, 7:50 PM Marius Scurtescu <
marius.scurtescu@coinbase.com> wrote:

> Thanks again Adam.
>
> Is this the iframe spec you are referring to:
> https://www.w3.org/TR/webauthn-2/#sctn-iframe-guidance
>
> The situation looks pretty bleak from where I stand. I am surprised that
> this is not coming up as an issue. Was there a concrete reason to stop
> supporting FacetID? Lack of interest?
>
>
> On Thu, Jul 18, 2019 at 3:59 PM Adam Langley <agl@google.com> wrote:
>
>> On Thu, Jul 18, 2019 at 3:08 PM Marius Scurtescu <
>> marius.scurtescu@coinbase.com> wrote:
>>
>>> How is a multi-domain deployment supposed to work with WebAuthn? And by
>>> multi-domain I mean domains that don't match: example1.com and
>>> example2.com.
>>>
>>> One solution that was suggested is to always redirect to the IdP, so
>>> there is not need for multiple domains. That might work for login, but when
>>> WebAuthn is used as a re-authentication challenge then a full page redirect
>>> becomes very difficult to implement, especially for an existing application.
>>>
>>
>> WebAuthn credentials are tied to an RP ID, which is a domain name. There
>> is not support for “groups” of domains being acceptable for a credential.
>>
>> Redirecting (with suitable care) is possible, somewhat similar to OAuth.
>> There is also (currently) unimplemented spec for granting iframes WebAuthn
>> abilities, in which case postMessage can be used. Implementation priorities
>> are set by need and, currently, nobody is making a fuss about the lack of
>> iframe support so it's not on the roadmap.
>>
>>
>> Cheers
>>
>> AGL
>>
>

Received on Friday, 19 July 2019 01:42:35 UTC