W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2019

Re: webauthn post on NANOG

From: Jeff Hodges <jdhodges@google.com>
Date: Tue, 26 Mar 2019 06:46:23 -0700
Message-ID: <CAOt3QXt6ttRqCqRJiWcajKeAVstMKuM-11qpgwpPirfMmxawCQ@mail.gmail.com>
To: W3C Web Authn WG <public-webauthn@w3.org>
Cc: Akshay Kumar <Akshay.Kumar@microsoft.com>, Nicholas Steele <nick@nicksteele.net>, Emil Lundberg <emil@yubico.com>, Anthony Nadalin <tonynad@microsoft.com>, Samuel Weiler <weiler@w3.org>, James Barclay <jbarclay@duosecurity.com>
On Mon, Mar 25, 2019 at 9:01 AM James Barclay <jbarclay@duosecurity.com>

> I think this question has less to do with standardizing software
> authenticators and more to do with a misunderstanding about how user
> verification works, whether local PINs/passphrases are supported in
> WebAuthn, and a fear that knowledge-based authentication will disappear
> "because FIDO/WebAuthn/whatever."

Agreed, that is how I also interpreted the NANOG post.

> I don't think anything needs to change in the spec, but maybe we can all
> be more clear when communicating with others about how users authenticate
> to the device, whether that's biometrics, a PIN/passphrase, or a test of
> user presence in non-user verifying workflows. We could also spend less
> time demonizing passwords without also explaining the differences between
> remote and local verification. I suspect that this misunderstanding has
> come about at least partly because using biometrics to authenticate is a
> much different user experience than password-based authentication, and
> therefore is what's written about on blogs/news sites.


Received on Tuesday, 26 March 2019 13:47:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:03 UTC