W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2019

Re: [webauthn] More explicitly document use cases. (#1300)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Thu, 12 Sep 2019 23:30:52 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-531044627-1568331050-sysbot+gh@w3.org>
Here's a table that Steven (who'll be at TPAC) draw up that can be helpful to think about these things:

|     | User Presence | User Verification | Resident Key |
| --- | --- | --- | --- |
| RP knows which account is logged in | anti-exfiltration | reauthentication | |
| User is unknown | two-factor auth | passwordless | typing-free |

Also, I sketched up https://gist.github.com/agl/d4b7a646ec7474eec1071ebc9be77e79 to see about explicitly defining the map from registration options to high-level intent. (Take a look, you might think I'm crazy.) I've ignored all residentKey=preferred as something for the future. The combinations that remain undefined are:


If we take out those that are UV=preferred (which does not seem to make a lot of sense to me as an option) we are left with


The first two fall into Steven's &ldquo;anti-exfiltration&rdquo; bucket, i.e. you're checking for a credential that malware cannot have extracted from the machine and you're checking that there's a physical human at the machine. Perhaps this should be a documented use case.

The last is a typing-free situation, but with an odd platform attachment. Still, the intent can likely be categorised the same as other typing-free cases, leaving only uv=preferred and the flow around rk=preferred as undefined.

GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1300#issuecomment-531044627 using your GitHub account
Received on Thursday, 12 September 2019 23:30:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:07 UTC