W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2020

Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Mon, 09 Nov 2020 00:18:26 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-723688982-1604881105-sysbot+gh@w3.org>
I think there is some confusion here. I'm proposing that there is a disconnect between peoples expectations and the word of the standard. I understand that today they are properties of the ceremony, but that is not how people thing about these credentials.

I also want to point out, I am not talking about username-less either. That's unrelated to my point.

My point is that when you first register a credential there are properties of that credential that *could* have properties assigned to it. For example you register a verified credential as an MFA source (think touchid), but you also have a yubikey with ctap1, and still require a password.

In these scenarios because the UV is part of the *ceremony* not the *credential* it's not possible to offer both credential ID's in a single authentication workflow, the client application needs to request extra data from the user to determine which credential they want to use before sending the challenge. 

Sure, the word of the standard is about the UV being part of the ceremony, but the way people think about the credential and account policy is that the UV is part of the credential itself. This is pretty clearly stated in NIST SP63-800b sections 5.1.7 and 5.1.8. https://pages.nist.gov/800-63-3/sp800-63b.html . Not only that the way a user will consider this is that it's part of the credential itself, not the "ceremony".

So I think what I'm saying is that the current approach of the standard does not mesh with guidelines like NIST SP63-800b or human expectations around consistent and reproducible behaviour of their devices. 

So if there is a way to set per-credential UV requests through credProps then I would be happy for that to exist, and  I think the webauthn spec should be updated to recommend credProps with UV parameters over the per-ceremony behaviour that exists today. Can someone please link to references about the credProps extensions if possible to help clarify how that works? 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-723688982 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 9 November 2020 00:18:27 UTC

This archive was generated by hypermail 2.4.0 : Monday, 9 November 2020 00:18:28 UTC