- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 06 Apr 2021 12:40:28 +0000
- To: public-webauthn@w3.org
@MasterKale > Why _couldn't_ WebAuthn be used for 2FA/Passwordless/Usernameless logins for browser extensions that want to offer an additional level of access control? It's not much different than how some privacy-oriented apps offer a secondary passcode you have to enter when you open the app. > > I think we should consider updating the spec to enable alternative RP implementations outside of the traditional "remote server" definition of what an RP is. Use cases for the technology can come out of nowhere, as in the case of an extension developer who wants to leverage an "internal RP" that is completely contained with the extension to allow for attestations and assertions for local authentication. WebAuthn couldn't be used for local authentication like this because it is a challenge-response authentication method, and challenge-response authentication only works when client and server are separate. Otherwise the user can bypass the authentication by simply using a different client without the authentication check. Local access control requires encryption, which WebAuthn is currently not equipped for. This could change in the future with the proposed [`prf` extension](https://github.com/w3c/webauthn/issues/1462), but that's not currently in the spec. Granted, it is possible for the "server" part to be a local application running in a secure enclave along with and trusted by the operating system, but as far as I know userspace applications are rarely deployed like that. By contrast, @Mikescops's use case of a browser extension authenticating itself to a remote server (for example, to download an encrypted vault file) is a different matter and is compatible with challenge-response authentication. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1372#issuecomment-814087432 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 6 April 2021 12:40:29 UTC