Re: [webauthn] Support `discoverableCredential` field in the API. (#1565)

I have gone on public record, that FIDO was invented because PKI-based TLS ClientAuth - the original passwordless authentication protocol - was too complex for application developers to understand/use within web and rich-client applications. I didn't think a day would come where, despite being in the FIDO Alliance for nearly 7 years, I would shake my head at the complexity of what FIDO/WebAuthn has become.

Looking at the Level-2 spec, here is what I see - including the 3 marketing related names (in **_bold italics_**), there are at least 20 different names to define FIDO/WebAuthn "stuff" in the specification (I'm not sure whether I've missed others):

1. Client-side discoverable Credential
2. Client-side discoverable Public Key Credential Source
3. Discoverable Credential
4. First-factor Roaming Authenticator
5. Non-discoverable Credential
6. Non-Resident Credential
7. **_Passkey_**
8. Platform Authenticator
9. Platform Credential
10. Resident Credential
11. Resident Key
12. Roaming Authenticator
13. Second-factor Platform Authenticator
14. Second-factor Roaming Authenticator
15. security key
16. **_Security Key_**
17. Server-side Credential
18. Server-side Public Key Credential Source
19. User-verifying Platform Authenticator
20. **_Windows Hello_**

AFAICT, from a technical pov, there are only 3 basic "objects" that people need to keep track of in their heads when reading about FIDO/WebAuthn: **Authenticator**, **Credential** and **Key**. Everything else merely describes these objects or the context in which they are used. 

Is it possible to simplify the naming to use just the 3 objects and embellish them with decorative symbols to describe them or represent the context in which they are used? For example, when a number is raised to the power of 2 or 3, we don't say "squared number" or "cubed number" in the text - we denote them as N^2 or N^3. Could the specification do something similar with the 3 objects and simplify the spec?

And, the API to references these names, can the desired properties not just be passed as attributes of first-class **Authenticator**, **Credential** or **Key** objects? 

I'll leave it to more creative minds to come up with the symbols that can denote context better than I can: color-coded, graphical symbols... anything that can help reduce the complexity of reading this specification.

P.S. I really, really wish the companies behind the marketing names for FIDO had not added to the confusion. I'm a strong believer that an informed consumer is the best defense the internet can have - but the more we obscure **FIDO**, the easier it will likely become to manipulate ill-informed users in time.

GitHub Notification of comment by arshadnoor
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 7 July 2021 02:55:32 UTC