W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2019

Re: webauthn post on NANOG

From: Emil Lundberg <emil@yubico.com>
Date: Mon, 25 Mar 2019 12:29:03 +0100
Message-ID: <CANMnvkzCDCspcEOhD2RUsQUUDQJ6fqeE660KBZsqTTxCFkLDVg@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Cc: Samuel Weiler <weiler@w3.org>, W3C Web Authn WG <public-webauthn@w3.org>
It sounds to me like this echoes the same concerns as
https://github.com/w3c/webauthn/issues/1175 . Maybe we need the spec to
more clearly point out software authenticators as a possible implementation?

/Emil


On Mon, Mar 25, 2019 at 9:41 AM Anthony Nadalin <tonynad@microsoft.com>
wrote:

> Just wondering what you want us to do here as there is no real information
> in this this message relative to WebAuthn
>
> -----Original Message-----
> From: Samuel Weiler <weiler@w3.org>
> Sent: Saturday, March 23, 2019 3:30 AM
> To: W3C Web Authn WG <public-webauthn@w3.org>
> Subject: webauthn post on NANOG
>
> FYI.
>
> ---------- Forwarded message ----------
> Date: Fri, 22 Mar 2019 17:50:29 -0700
> From: Michael Thomas <mike@mtcc.com>
> To: NANOG list <nanog@nanog.org>
> Subject: webauthn
>
>
> I know it's a little tangential, but it's a huge operational issue for
> network operations too. Have any NANOG folks been paying attention to
> webauthn? i didn't know about until yesterday, though i wrote a proof of
> concept of something that looks a lot like webauthn in 2012. The thing that
> is kind of concerning to me is that there seems to be some amount of
> misconception (I hope!) that you need hardware or biometric or some
> non-password based authentication on the user device in the many write ups
> i've been reading. i sure hope that misconception doesn't take hold because
> there is nothing wrong with *local* password based authentication to unlock
> your credentials. i fear that if the misconception takes hold, it will
> cause the entire effort to tank. the issue with passwords is transmitting
> them over the wire, first and foremost. strong *local* passwords that
> unlock functionality is still perfectly fine for many many applications,
> IMO.
>
> Which isn't to say that hardware/biometric is bad, it's just to say that
> they are separable problems with their own set of tradeoffs. NANOG folks
> sound like prime examples of who should be using 2 factor, etc. But we
> don't want to discourage, oh say, Epicurious to implement webauthn to get
> to my super-secret recipe box because they don't think people will buy id
> dongles.
>
> Mike
>
>
>
>
> --

Emil Lundberg

Software Developer | Yubico <http://www.yubico.com/>
Received on Monday, 25 March 2019 11:29:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:03 UTC