W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2021

Re: [webauthn] Support `discoverableCredential` field in the API. (#1565)

From: Arshad Noor via GitHub <sysbot+gh@w3.org>
Date: Wed, 14 Jul 2021 21:25:50 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-880221109-1626297948-sysbot+gh@w3.org>
I don't deny that User Verifying Platform Authenticators (UVPA) are likely to be the most effective way to get the vast majority of consumers to adopt FIDO. However, I also believe that the use of an external Security Key simplifies FIDO key lifecycle management for consumers better than any other alternative.

While I recognize what Apple has done with Passkey simplifies that lifecycle management for their consumers, Apple can do what they want in their "walled garden" and get away with it - they own all the pieces to implement what they want with Passkey. The rest of us have to live with multiple, dissimilar devices with different operating systems, different browsers, different transport protocols, different levels of consumer knowledge/capability, etc. Trying to synchronize FIDO key-pairs across that smorgasbord of technology, vendor implementations and terminology will make this protocol/specification a nightmare. We will end up with partially implemented specifications from multiple vendors that will make interoperability a pipe-dream.

IMO, Security Keys work well currently. If hardware vendors bundled one with new devices, it will simplify Account Recovery, make registering with multiple UVPA as easy as pie, **and** save the FIDO ecosystem an enormous amount of time/money keeping things simple for everyone! It is complex enough as it is right now.

Just a word of caution: PKI did not become the hairball it is, overnight. It was beaten into submission by all the use-cases dozens/hundreds of RPs wanted to see in a digital certificate, when in reality, if they kept X509 focused on just authentication, and relegated the use-cases to applications, we might have been using strong authentication for a couple of decades now. Instead, we were forced to invent FIDO to reinvent PKI - but are traveling down the PKI road again!

(I think there's a thread somewhere in this forum - or a FIDO forum - that sounded a similar alarm about including extensions in the FIDO registration/authentication protocol 4-5 years ago).

-- 
GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1565#issuecomment-880221109 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 14 July 2021 21:25:51 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC