Re: webauthn post on NANOG

On Mon, Mar 25, 2019 at 9:01 AM James Barclay <jbarclay@duosecurity.com>
wrote:

> I think this question has less to do with standardizing software
> authenticators and more to do with a misunderstanding about how user
> verification works, whether local PINs/passphrases are supported in
> WebAuthn, and a fear that knowledge-based authentication will disappear
> "because FIDO/WebAuthn/whatever."


Agreed, that is how I also interpreted the NANOG post.


> I don't think anything needs to change in the spec, but maybe we can all
> be more clear when communicating with others about how users authenticate
> to the device, whether that's biometrics, a PIN/passphrase, or a test of
> user presence in non-user verifying workflows. We could also spend less
> time demonizing passwords without also explaining the differences between
> remote and local verification. I suspect that this misunderstanding has
> come about at least partly because using biometrics to authenticate is a
> much different user experience than password-based authentication, and
> therefore is what's written about on blogs/news sites.
>

agreed.


=JeffH

Received on Tuesday, 26 March 2019 13:47:11 UTC