Re: [webauthn] Allow RP to determine correct Platform Authenticator name (#1563) from Arshad Noor on 2021-02-08 (public-webauthn@w3.org from February 2021)

From: Arshad Noor <arshad.noor@strongkey.com>
Date: Mon, 8 Feb 2021 09:59:37 -0800
To: public-webauthn@w3.org
Message-ID: <1b4cbaf8-d965-f1da-28da-46da7f554f16@strongkey.com>

On the one hand, while this might be considered useful, in the 
long-term, on the other hand it is likely to make application 
development and maintenance more cumbersome, complicated, and most 
importantly, insecure (on the principle that greater complexity leads to 
a higher probability of human programming mistakes and consequently, 
vulnerabilities).

Today, an RP application developer has to deal with the following 
terminology when dealing with FIDO Authenticators:

- Security Key
- TouchID
- FaceID
- Windows Hello
- Biometric
- PIN
- Pattern
...

Who knows what other trademarked names other companies will create as 
every device manufacturer decides to trademark their own names for the 
same capability to compete for consumer mind-share.

What is more useful is for the FIDO/WebAuthn community to use a generic 
term for "Authenticator" and for "User Verification", standardize on it, 
get RPs to use a standardized logo (like at https://loginwithfido.com) 
and educate consumers that different devices may choose to call access 
to the FIDO Authenticator by different names - but they need to realize 
that they all do the same thing in the FIDO/WebAuthn authentication process.

This will not only solve the RP application problem, but will also 
create an informed user-community that does not need to be "babied" into 
oblivion through ignorance. Humans are smarter than most technology 
companies give them credit for - treat them like idiots and who do you 
think you'll attract to your site?

Arshad Noor
StrongKey

On 2/7/21 2:21 AM, Felix Magedanz via GitHub wrote:
> FlxMgdnz has just created a new issue for https://github.com/w3c/webauthn:
> 
> == Allow RP to determine correct Platform Authenticator name ==
> When implementing WebAuthn/FIDO2 for larger end-user focused 
> deployments, we're always struggling with the correct naming of the 
> actions that are presented to the users.
> 
> Allowing the RP to display the specific platform authenticator name 
> would help UX a lot, e.g., "Use Touch ID" or "Set up Windows Hello". For 
> this to work properly, there needs to be a reliable way for the RP to 
> determine the correct name on the platform. It could be very simple, 
> something like "userVerifyingPlatformAuthenticatorName" always returning 
> a string like "Touch ID", "Face ID", "Windows Hello", defined by the 
> platform.
> 
> Revisiting #1304 , we would strongly encourage further developments here.
> 
> Please view or discuss this issue at 
> https://github.com/w3c/webauthn/issues/1563 using your GitHub account
> 
>

Received on Monday, 8 February 2021 17:59:52 UTC