W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

Re: [webauthn] Allow RP to determine correct Platform Authenticator name (#1563)

From: Arshad Noor <arshad.noor@strongkey.com>
Date: Mon, 8 Feb 2021 09:59:37 -0800
To: public-webauthn@w3.org
Message-ID: <1b4cbaf8-d965-f1da-28da-46da7f554f16@strongkey.com>
On the one hand, while this might be considered useful, in the 
long-term, on the other hand it is likely to make application 
development and maintenance more cumbersome, complicated, and most 
importantly, insecure (on the principle that greater complexity leads to 
a higher probability of human programming mistakes and consequently, 

Today, an RP application developer has to deal with the following 
terminology when dealing with FIDO Authenticators:

- Security Key
- TouchID
- FaceID
- Windows Hello
- Biometric
- Pattern

Who knows what other trademarked names other companies will create as 
every device manufacturer decides to trademark their own names for the 
same capability to compete for consumer mind-share.

What is more useful is for the FIDO/WebAuthn community to use a generic 
term for "Authenticator" and for "User Verification", standardize on it, 
get RPs to use a standardized logo (like at https://loginwithfido.com) 
and educate consumers that different devices may choose to call access 
to the FIDO Authenticator by different names - but they need to realize 
that they all do the same thing in the FIDO/WebAuthn authentication process.

This will not only solve the RP application problem, but will also 
create an informed user-community that does not need to be "babied" into 
oblivion through ignorance. Humans are smarter than most technology 
companies give them credit for - treat them like idiots and who do you 
think you'll attract to your site?

Arshad Noor

On 2/7/21 2:21 AM, Felix Magedanz via GitHub wrote:
> FlxMgdnz has just created a new issue for https://github.com/w3c/webauthn:
> == Allow RP to determine correct Platform Authenticator name ==
> When implementing WebAuthn/FIDO2 for larger end-user focused 
> deployments, we're always struggling with the correct naming of the 
> actions that are presented to the users.
> Allowing the RP to display the specific platform authenticator name 
> would help UX a lot, e.g., "Use Touch ID" or "Set up Windows Hello". For 
> this to work properly, there needs to be a reliable way for the RP to 
> determine the correct name on the platform. It could be very simple, 
> something like "userVerifyingPlatformAuthenticatorName" always returning 
> a string like "Touch ID", "Face ID", "Windows Hello", defined by the 
> platform.
> Revisiting #1304 , we would strongly encourage further developments here.
> Please view or discuss this issue at 
> https://github.com/w3c/webauthn/issues/1563 using your GitHub account
Received on Monday, 8 February 2021 17:59:52 UTC

This archive was generated by hypermail 2.4.0 : Monday, 8 February 2021 17:59:53 UTC