W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2019

Re: webauthn post on NANOG

From: James Barclay <jbarclay@duosecurity.com>
Date: Mon, 25 Mar 2019 12:01:50 -0400
Cc: Nicholas Steele <nick@nicksteele.net>, Jeff Hodges <jdhodges@google.com>, Emil Lundberg <emil@yubico.com>, Anthony Nadalin <tonynad@microsoft.com>, Samuel Weiler <weiler@w3.org>, W3C Web Authn WG <public-webauthn@w3.org>
Message-Id: <590BF954-0CD0-4336-985E-A774C1A921B5@duosecurity.com>
To: Akshay Kumar <Akshay.Kumar@microsoft.com>
I think this question has less to do with standardizing software authenticators and more to do with a misunderstanding about how user verification works, whether local PINs/passphrases are supported in WebAuthn, and a fear that knowledge-based authentication will disappear "because FIDO/WebAuthn/whatever."  I don't think anything needs to change in the spec, but maybe we can all be more clear when communicating with others about how users authenticate to the device, whether that's biometrics, a PIN/passphrase, or a test of user presence in non-user verifying workflows. We could also spend less time demonizing passwords without also explaining the differences between remote and local verification. I suspect that this misunderstanding has come about at least partly because using biometrics to authenticate is a much different user experience than password-based authentication, and therefore is what's written about on blogs/news sites.

Thanks.

-- 
James Barclay

> On Mar 25, 2019, at 11:58 AM, Akshay Kumar <Akshay.Kumar@microsoft.com> wrote:
> 
> Merging threads,
>  
> Issue #1175 is about hardware authenticators not being free. People who don’t want to buy hardware has alternatives(Built in platform authenticators, phones). Removable authenticators gives your roamability as Christiaan mentioned. 
> Issue #1125 is more about delegation of authentication between RPs which is a totally different topic. IIRC, @Jeff, probably had some ideas about that. From what I understand, that is not solved yet.
>  
> I would like to understand what exactly the problem we are trying to solve here which is not solved currently in the spec.
>  
>  
> From: Christiaan Brand <cbrand@google.com> 
> Sent: Monday, March 25, 2019 8:47 AM
> To: Samuel Weiler <weiler@w3.org>
> Cc: Anthony Nadalin <tonynad@microsoft.com>; W3C Web Authn WG <public-webauthn@w3.org>
> Subject: Re: webauthn post on NANOG
>  
> > But we don't want to discourage,
> oh say, Epicurious to implement webauthn to get to my super-secret recipe box
> because they don't think people will buy id dongles.
>  
> I think the point is being missed here. The presence of hardware in webauthn/fido is not because we think it’s necessarily better than software. It’s because it’s removable and can travel with you to new devices. That’s much harder to do with on-device software solutions without resorting to some sort of syncing, which in many cases relegates your 2fa solution to 1fa again.
>  
> Feel free to send this on to the OP.
>  
> /christiaan
>  
> On Mon, Mar 25, 2019 at 08:37 Samuel Weiler <weiler@w3.org> wrote:
> On Mon, 25 Mar 2019, Anthony Nadalin wrote:
> 
> > Just wondering what you want us to do here as there is no real 
> > information in this this message relative to WebAuthn
> 
> I wanted members of the WG to be aware of it in case the discussion 
> ran off somewhere - some of you might have wanted to weigh in.  Given 
> that the thread died on the vine, there is no immediate action item.
> 
> Emil pointed out the already-open related issue.
> 
> -- Sam
> 
>  
> From: Nicholas Steele <nick@nicksteele.net> 
> Sent: Monday, March 25, 2019 8:20 AM
> To: Akshay Kumar <Akshay.Kumar@microsoft.com>
> Cc: Emil Lundberg <emil@yubico.com>; Anthony Nadalin <tonynad@microsoft.com>; Samuel Weiler <weiler@w3.org>; W3C Web Authn WG <public-webauthn@w3.org>
> Subject: Re: webauthn post on NANOG
>  
> With regards to the NANOG post, I don't think we've been promoting any messaging in the specification or elsewhere that local password authentication is to be avoided or is being "solved" with WebAuthn. Unsure how this work can be misconstrued. 
>  
> I agree with Emil's latter point: I think this is tangentially related to issue #1175 in that we should have some further messaging around supporting software-defined authenticators, but don't need to change the API to support those authenticators. 
>  
> That being said, updating the spec to include a client extension that delegates authentication to a local/remote software-defined authenticator or service could be useful. Something like this was brought up in issue 1125. Will write up an issue/PR to capture these thoughts.
>  
> On Mon, Mar 25, 2019 at 10:25 AM Akshay Kumar <Akshay.Kumar@microsoft.com> wrote:
> Platforms already have software authenticators, so there is no need to over specify here. Based on my reading of below text, it is saying slightly different. It looks like it is saying that *local* password is probably on par with external hardware based solutions. Which is how platform authenticators work. From the large scale attack perspective, that is correct. But I don’t see any reason to change the spec. We don’t have to specify one way or another what RPs will prefer. Its up to them. 
>  
> From: Emil Lundberg <emil@yubico.com> 
> Sent: Monday, March 25, 2019 4:29 AM
> To: Anthony Nadalin <tonynad@microsoft.com>
> Cc: Samuel Weiler <weiler@w3.org>; W3C Web Authn WG <public-webauthn@w3.org>
> Subject: Re: webauthn post on NANOG
>  
> It sounds to me like this echoes the same concerns as https://github.com/w3c/webauthn/issues/1175 . Maybe we need the spec to more clearly point out software authenticators as a possible implementation?
>  
> /Emil
>  
>  
> On Mon, Mar 25, 2019 at 9:41 AM Anthony Nadalin <tonynad@microsoft.com> wrote:
> Just wondering what you want us to do here as there is no real information in this this message relative to WebAuthn 
> 
> -----Original Message-----
> From: Samuel Weiler <weiler@w3.org> 
> Sent: Saturday, March 23, 2019 3:30 AM
> To: W3C Web Authn WG <public-webauthn@w3.org>
> Subject: webauthn post on NANOG
> 
> FYI.
> 
> ---------- Forwarded message ----------
> Date: Fri, 22 Mar 2019 17:50:29 -0700
> From: Michael Thomas <mike@mtcc.com>
> To: NANOG list <nanog@nanog.org>
> Subject: webauthn
> 
> 
> I know it's a little tangential, but it's a huge operational issue for network operations too. Have any NANOG folks been paying attention to webauthn? i didn't know about until yesterday, though i wrote a proof of concept of something that looks a lot like webauthn in 2012. The thing that is kind of concerning to me is that there seems to be some amount of misconception (I hope!) that you need hardware or biometric or some non-password based authentication on the user device in the many write ups i've been reading. i sure hope that misconception doesn't take hold because there is nothing wrong with *local* password based authentication to unlock your credentials. i fear that if the misconception takes hold, it will cause the entire effort to tank. the issue with passwords is transmitting them over the wire, first and foremost. strong *local* passwords that unlock functionality is still perfectly fine for many many applications, IMO.
> 
> Which isn't to say that hardware/biometric is bad, it's just to say that they are separable problems with their own set of tradeoffs. NANOG folks sound like prime examples of who should be using 2 factor, etc. But we don't want to discourage, oh say, Epicurious to implement webauthn to get to my super-secret recipe box because they don't think people will buy id dongles.
> 
> Mike
> 
> 
> 
> --
> Emil Lundberg
> Software Developer | Yubico
>  
> 
>  
> -- 
> Nick Steele
Received on Tuesday, 26 March 2019 10:52:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:03 UTC