- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Thu, 12 Sep 2019 23:30:52 +0000
- To: public-webauthn@w3.org
Here's a table that Steven (who'll be at TPAC) draw up that can be helpful to think about these things: | | User Presence | User Verification | Resident Key | | --- | --- | --- | --- | | RP knows which account is logged in | anti-exfiltration | reauthentication | | | User is unknown | two-factor auth | passwordless | typing-free | Also, I sketched up https://gist.github.com/agl/d4b7a646ec7474eec1071ebc9be77e79 to see about explicitly defining the map from registration options to high-level intent. (Take a look, you might think I'm crazy.) I've ignored all residentKey=preferred as something for the future. The combinations that remain undefined are: ``` (NoAttachment,RKNotSpecified,UVPreferred) (NoAttachment,RKDiscouraged,UVPreferred) (Platform,RKNotSpecified,UVDiscouraged) (Platform,RKNotSpecified,UVPreferred) (Platform,RKDiscouraged,UVDiscouraged) (Platform,RKDiscouraged,UVPreferred) (Platform,RKRequired,UVRequired) (CrossPlatform,RKNotSpecified,UVPreferred) (CrossPlatform,RKDiscouraged,UVPreferred) ``` If we take out those that are UV=preferred (which does not seem to make a lot of sense to me as an option) we are left with ``` (Platform,RKNotSpecified,UVDiscouraged) (Platform,RKDiscouraged,UVDiscouraged) (Platform,RKRequired,UVRequired) ``` The first two fall into Steven's “anti-exfiltration” bucket, i.e. you're checking for a credential that malware cannot have extracted from the machine and you're checking that there's a physical human at the machine. Perhaps this should be a documented use case. The last is a typing-free situation, but with an odd platform attachment. Still, the intent can likely be categorised the same as other typing-free cases, leaving only uv=preferred and the flow around rk=preferred as undefined. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1300#issuecomment-531044627 using your GitHub account
Received on Thursday, 12 September 2019 23:30:53 UTC