- From: Arshad Noor <arshad.noor@strongkey.com>
- Date: Mon, 10 Feb 2020 04:34:53 -0800
- To: public-webauthn@w3.org
I would argue that you may as well just stick with passwords for authentication than use software authenticators, Ki-Eun Shin. Unless you use a hardware-based cryptographic module on the platform, your security is reduced to the knowledge of a password with a software-based authenticator. Wherever you store the cryptographic key on the platform, the only protection you are likely to have is the PBKDF2-derived key from the password that protects the key-pair (assuming a password is used - if not, the security is further reduced to the point where anyone with access to those keys may authenticate with that key). This is the reason why the FIDO Alliance enabled transporting CTAP over protocols such as HID, BLE and NFC for "Security Keys"; it enables the use of cryptographic hardware to protect the key-pairs on any platform that supports those transport protocols. A small price to pay for more than a reasonable level of security. Arshad Noor StrongKey On 2/9/20 7:22 PM, Ki-Eun Shin via GitHub wrote: > CTAP does not define anything about the platform authenticators. Where > is the best place for discussing about platform authenticators? Since we > have cases where the platform authenticator might be unavailable on some > platforms or devices, it's better to leverage software based platform > authenticator in this case rather than not supporting WebAuthn on such > environments. >
Received on Monday, 10 February 2020 12:35:02 UTC