Re: [webauthn] More explicitly document use cases. (#1300)

Here's a table that Steven (who'll be at TPAC) draw up that can be helpful to think about these things:

|     | User Presence | User Verification | Resident Key |
| --- | --- | --- | --- |
| RP knows which account is logged in | anti-exfiltration | reauthentication | |
| User is unknown | two-factor auth | passwordless | typing-free |

Also, I sketched up https://gist.github.com/agl/d4b7a646ec7474eec1071ebc9be77e79 to see about explicitly defining the map from registration options to high-level intent. (Take a look, you might think I'm crazy.) I've ignored all residentKey=preferred as something for the future. The combinations that remain undefined are:

```
(NoAttachment,RKNotSpecified,UVPreferred)
(NoAttachment,RKDiscouraged,UVPreferred)
(Platform,RKNotSpecified,UVDiscouraged)
(Platform,RKNotSpecified,UVPreferred)
(Platform,RKDiscouraged,UVDiscouraged)
(Platform,RKDiscouraged,UVPreferred)
(Platform,RKRequired,UVRequired)
(CrossPlatform,RKNotSpecified,UVPreferred)
(CrossPlatform,RKDiscouraged,UVPreferred)
```

If we take out those that are UV=preferred (which does not seem to make a lot of sense to me as an option) we are left with

```
(Platform,RKNotSpecified,UVDiscouraged)
(Platform,RKDiscouraged,UVDiscouraged)
(Platform,RKRequired,UVRequired)
```

The first two fall into Steven's “anti-exfiltration” bucket, i.e. you're checking for a credential that malware cannot have extracted from the machine and you're checking that there's a physical human at the machine. Perhaps this should be a documented use case.

The last is a typing-free situation, but with an odd platform attachment. Still, the intent can likely be categorised the same as other typing-free cases, leaving only uv=preferred and the flow around rk=preferred as undefined.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1300#issuecomment-531044627 using your GitHub account

Received on Thursday, 12 September 2019 23:30:53 UTC