W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2020

Re: [webauthn] Dependence on Browser state for Primary Factor login (#1356)

From: Chad Killingsworth via GitHub <sysbot+gh@w3.org>
Date: Sat, 25 Jan 2020 15:24:36 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-578415163-1579965875-sysbot+gh@w3.org>
Just to make sure we are talking about the same thing:

1. I do split the username to a separate step to allow for a check for authn support first.
2. I see usb keys and other cross platform authenticators as a 2nd factor authentication only. 
3. I use platform authenticators as a first factor authentication only after a traditional authentication with username, password followed by a 2nd factor auth of some sort has fully authenticated the user. Subsequent authentication can then use webauthn platform authentication as the the only factor.

The problem comes that I can't automatically test for the webauthn flow without some upfront knowledge. I could have a separate button on the username form and let the user decide, but I see that as requiring a huge amount of user education and I do not believe it will have substantial impact on phishing. 

With these current restrictions I just don't see webauthn being usable for primary factor authentication unless username enumeration is permissible.

GitHub Notification of comment by ChadKillingsworth
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356#issuecomment-578415163 using your GitHub account
Received on Saturday, 25 January 2020 15:24:38 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:37 UTC