- From: Akshay Kumar <Akshay.Kumar@microsoft.com>
- Date: Mon, 25 Mar 2019 14:25:08 +0000
- To: Emil Lundberg <emil@yubico.com>, Anthony Nadalin <tonynad@microsoft.com>
- CC: Samuel Weiler <weiler@w3.org>, W3C Web Authn WG <public-webauthn@w3.org>
- Message-ID: <MW2PR2101MB088917E3340D575375F922B7865E0@MW2PR2101MB0889.namprd21.prod.outlook.>
Platforms already have software authenticators, so there is no need to over specify here. Based on my reading of below text, it is saying slightly different. It looks like it is saying that *local* password is probably on par with external hardware based solutions. Which is how platform authenticators work. From the large scale attack perspective, that is correct. But I don’t see any reason to change the spec. We don’t have to specify one way or another what RPs will prefer. Its up to them. From: Emil Lundberg <emil@yubico.com> Sent: Monday, March 25, 2019 4:29 AM To: Anthony Nadalin <tonynad@microsoft.com> Cc: Samuel Weiler <weiler@w3.org>; W3C Web Authn WG <public-webauthn@w3.org> Subject: Re: webauthn post on NANOG It sounds to me like this echoes the same concerns as https://github.com/w3c/webauthn/issues/1175<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwebauthn%2Fissues%2F1175&data=02%7C01%7CAkshay.Kumar%40microsoft.com%7C02d7863fc142472068b208d6b11541c6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636891102188519636&sdata=0EMapoHM80UO7nqsYFHJ4%2BDDQdOJWDEoy2etNcqUgjo%3D&reserved=0> . Maybe we need the spec to more clearly point out software authenticators as a possible implementation? /Emil On Mon, Mar 25, 2019 at 9:41 AM Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> wrote: Just wondering what you want us to do here as there is no real information in this this message relative to WebAuthn -----Original Message----- From: Samuel Weiler <weiler@w3.org<mailto:weiler@w3.org>> Sent: Saturday, March 23, 2019 3:30 AM To: W3C Web Authn WG <public-webauthn@w3.org<mailto:public-webauthn@w3.org>> Subject: webauthn post on NANOG FYI. ---------- Forwarded message ---------- Date: Fri, 22 Mar 2019 17:50:29 -0700 From: Michael Thomas <mike@mtcc.com<mailto:mike@mtcc.com>> To: NANOG list <nanog@nanog.org<mailto:nanog@nanog.org>> Subject: webauthn I know it's a little tangential, but it's a huge operational issue for network operations too. Have any NANOG folks been paying attention to webauthn? i didn't know about until yesterday, though i wrote a proof of concept of something that looks a lot like webauthn in 2012. The thing that is kind of concerning to me is that there seems to be some amount of misconception (I hope!) that you need hardware or biometric or some non-password based authentication on the user device in the many write ups i've been reading. i sure hope that misconception doesn't take hold because there is nothing wrong with *local* password based authentication to unlock your credentials. i fear that if the misconception takes hold, it will cause the entire effort to tank. the issue with passwords is transmitting them over the wire, first and foremost. strong *local* passwords that unlock functionality is still perfectly fine for many many applications, IMO. Which isn't to say that hardware/biometric is bad, it's just to say that they are separable problems with their own set of tradeoffs. NANOG folks sound like prime examples of who should be using 2 factor, etc. But we don't want to discourage, oh say, Epicurious to implement webauthn to get to my super-secret recipe box because they don't think people will buy id dongles. Mike -- Emil Lundberg Software Developer | Yubico<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.yubico.com%2F&data=02%7C01%7CAkshay.Kumar%40microsoft.com%7C02d7863fc142472068b208d6b11541c6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636891102188529630&sdata=bZn5rxVNxsamYNFgOzkmmSirqRNJiDDcMMH2q1SIGYo%3D&reserved=0>
Received on Monday, 25 March 2019 14:25:33 UTC