RE: [webauthn] Standardising support for software authenticators (#1175)

Wouldn’t it still be valid from the point of view that the server does NOT
expose authentication subject to credential stuffing attacks? The human
element of the value of adding FIDO authentication should not be
overlooked. Not everyone has good password hygiene or uses a password
manager.

Sent from my iPhone

> On 10 Feb 2020, at 10:36 pm, Arshad Noor <arshad.noor@strongkey.com>
wrote:
>
> I would argue that you may as well just stick with passwords for
> authentication than use software authenticators, Ki-Eun Shin.
>
> Unless you use a hardware-based cryptographic module on the platform,
> your security is reduced to the knowledge of a password with a
> software-based authenticator. Wherever you store the cryptographic key
> on the platform, the only protection you are likely to have is the
> PBKDF2-derived key from the password that protects the key-pair
> (assuming a password is used - if not, the security is further reduced
> to the point where anyone with access to those keys may authenticate
> with that key).
>
> This is the reason why the FIDO Alliance enabled transporting CTAP over
> protocols such as HID, BLE and NFC for "Security Keys"; it enables the
> use of cryptographic hardware to protect the key-pairs on any platform
> that supports those transport protocols. A small price to pay for more
> than a reasonable level of security.
>
> Arshad Noor
> StrongKey
>
>> On 2/9/20 7:22 PM, Ki-Eun Shin via GitHub wrote:
>> CTAP does not define anything about the platform authenticators. Where
>> is the best place for discussing about platform authenticators? Since we

>> have cases where the platform authenticator might be unavailable on some

>> platforms or devices, it's better to leverage software based platform
>> authenticator in this case rather than not supporting WebAuthn on such
>> environments.
>>
>