Re: [webauthn] Clarify that a single user might be several persons (#1238) from =JeffH via GitHub on 2019-06-24 (public-webauthn@w3.org from June 2019)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Jun 2019 18:18:44 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-505122529-1561400322-sysbot+gh@w3.org>

> @equalsJeffH Do you [think we should do this](https://github.com/w3c/webauthn/pull/1238#issuecomment-503676500)?

Well, I'm thinking @Kieun has a good point that the "The intent is to be able to distinguish individual users" statement (within the [user verification definition](https://w3c.github.io/webauthn/#user-verification)) encompasses several subtle-but-important nuances. 

How about this:
```
: <dfn>User Verification</dfn>
:: The technical process by which an [=authenticator=] <em>locally authorizes</em> the invocation of the
    [=authenticatorMakeCredential=] and [=authenticatorGetAssertion=] operations. [=User verification=] MAY be instigated
    through various [=authorization gesture=] modalities; for example, through a touch plus pin code, password entry, or
    [=biometric recognition=] (e.g., presenting a fingerprint) [[ISOBiometricVocabulary]]. The intent is to
    distinguish individual users.

    <div class="note">
        Note: Distinguishing natural persons depends in significant part upon the [=client platform=]'s
        and [=authenticator=]'s capabilities. For example, some devices are intended to be used
        by one distinct individual, yet they may allow multiple natural persons to enroll fingerprints and thus
        access the same [=[RP]=] account(s) using that device. See also [[#sctn-uvi-extension]].
    </div>

    <div class="note">
        Note: Invocation of the [=authenticatorMakeCredential=] and [=authenticatorGetAssertion=]
        operations implies use of key material managed by the authenticator.

        Also, for security, [=user verification=] and use
        of [=credential private keys=] must occur within a single logical security boundary defining the [=authenticator=].
    </div>

    [=User verification=] procedures MAY implement [=rate limiting=] as a protection against brute force attacks.
```
...?







-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1238#issuecomment-505122529 using your GitHub account

Received on Monday, 24 June 2019 18:18:46 UTC