W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2020

Re: [webauthn] Standardising support for software authenticators (#1175)

From: Arshad Noor <arshad.noor@strongkey.com>
Date: Mon, 10 Feb 2020 04:34:53 -0800
To: public-webauthn@w3.org
Message-ID: <b8960956-af1d-4872-6232-c1f6e8933df9@strongkey.com>
I would argue that you may as well just stick with passwords for 
authentication than use software authenticators, Ki-Eun Shin.

Unless you use a hardware-based cryptographic module on the platform, 
your security is reduced to the knowledge of a password with a 
software-based authenticator. Wherever you store the cryptographic key 
on the platform, the only protection you are likely to have is the 
PBKDF2-derived key from the password that protects the key-pair 
(assuming a password is used - if not, the security is further reduced 
to the point where anyone with access to those keys may authenticate 
with that key).

This is the reason why the FIDO Alliance enabled transporting CTAP over 
protocols such as HID, BLE and NFC for "Security Keys"; it enables the 
use of cryptographic hardware to protect the key-pairs on any platform 
that supports those transport protocols. A small price to pay for more 
than a reasonable level of security.

Arshad Noor

On 2/9/20 7:22 PM, Ki-Eun Shin via GitHub wrote:
> CTAP does not define anything about the platform authenticators. Where 
> is the best place for discussing about platform authenticators? Since we 
> have cases where the platform authenticator might be unavailable on some 
> platforms or devices, it's better to leverage software based platform 
> authenticator in this case rather than not supporting WebAuthn on such 
> environments.
Received on Monday, 10 February 2020 12:35:02 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:39 UTC