Re: [webauthn] Support for PWA authenticators (#1514)

@nadalin Yes, I can make a draft if you think that's the best way to go about it. I have a small bandwidth though so it might take some time.

@ve7jtb Native app ↔︎ browser pairing using CTAP over HTTPS is good for opening the platform to third-party authenticators, but requiring native apps has a lot of drawbacks. To cite just the main ones:

- It requires end-users install the native app. An authenticator app, by itself, has very little appeal to most end-users.
- Updates require pushing to app stores as well as being pulled by the end-users, with no guarantee of the latter ever happening at all, so you have as many versions of your app in the wild as you've ever released.
- It adds an unnecessary step, as applinks already require a web property anyway.
- It breaks user experience with a switch to another native application, which involves long transitions and some loading latency.

Enabling PWA authenticators solve all these problems: no install is required, updates are available instantly, the web property directly serves the authenticator instead of managing app links and falling back to offering app downloads, and users stay in the browser.

As for key storage and access to HW, I think that's a wrong argument to be had, as keys from websites using the PWA authenticator do not need to be stored on the device in the first place: they can live on the backend of the PWA authenticator, the same way all my passwords resides on LastPass servers right now. The PWA authenticator could also use webauthn itself or any other method to manage registration/login into the authenticator service, at its own discretion --I think keeping the exact mechanism behind this unspecified and service-dependent is fine, and that all that's needed is a registration API and WebIDL CTAP bindings.

-- 
GitHub Notification of comment by jcayzac
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1514#issuecomment-727708599 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 16 November 2020 03:09:39 UTC