- From: Emil Lundberg <emil@yubico.com>
- Date: Mon, 25 Mar 2019 12:29:03 +0100
- To: Anthony Nadalin <tonynad@microsoft.com>
- Cc: Samuel Weiler <weiler@w3.org>, W3C Web Authn WG <public-webauthn@w3.org>
- Message-ID: <CANMnvkzCDCspcEOhD2RUsQUUDQJ6fqeE660KBZsqTTxCFkLDVg@mail.gmail.com>
It sounds to me like this echoes the same concerns as https://github.com/w3c/webauthn/issues/1175 . Maybe we need the spec to more clearly point out software authenticators as a possible implementation? /Emil On Mon, Mar 25, 2019 at 9:41 AM Anthony Nadalin <tonynad@microsoft.com> wrote: > Just wondering what you want us to do here as there is no real information > in this this message relative to WebAuthn > > -----Original Message----- > From: Samuel Weiler <weiler@w3.org> > Sent: Saturday, March 23, 2019 3:30 AM > To: W3C Web Authn WG <public-webauthn@w3.org> > Subject: webauthn post on NANOG > > FYI. > > ---------- Forwarded message ---------- > Date: Fri, 22 Mar 2019 17:50:29 -0700 > From: Michael Thomas <mike@mtcc.com> > To: NANOG list <nanog@nanog.org> > Subject: webauthn > > > I know it's a little tangential, but it's a huge operational issue for > network operations too. Have any NANOG folks been paying attention to > webauthn? i didn't know about until yesterday, though i wrote a proof of > concept of something that looks a lot like webauthn in 2012. The thing that > is kind of concerning to me is that there seems to be some amount of > misconception (I hope!) that you need hardware or biometric or some > non-password based authentication on the user device in the many write ups > i've been reading. i sure hope that misconception doesn't take hold because > there is nothing wrong with *local* password based authentication to unlock > your credentials. i fear that if the misconception takes hold, it will > cause the entire effort to tank. the issue with passwords is transmitting > them over the wire, first and foremost. strong *local* passwords that > unlock functionality is still perfectly fine for many many applications, > IMO. > > Which isn't to say that hardware/biometric is bad, it's just to say that > they are separable problems with their own set of tradeoffs. NANOG folks > sound like prime examples of who should be using 2 factor, etc. But we > don't want to discourage, oh say, Epicurious to implement webauthn to get > to my super-secret recipe box because they don't think people will buy id > dongles. > > Mike > > > > > -- Emil Lundberg Software Developer | Yubico <http://www.yubico.com/>
Received on Monday, 25 March 2019 11:29:38 UTC