Re: [webauthn] <new proposal> Extending WebAuthn Protocol for Remote Authentication (#1580)

It's clear to me that web authentication needs to cover both local and remote parts. The existing WebauthN protocol seems to contain only the local part. As devices become more and more perceptive, the means of verification are becoming more and more abundant. Remote authentication allows a lot of verification that could only be done offline to be shifted online. In the current situation analysis, we urgently need to address the security risks involved in remote authentication. 
Ideally it should be a unified specification, as they are essentially the same. However, extending the existing interface seems to make its definition unclear by adding many parameters. Perhaps they could vary by having a custom flow or security risks, different use cases, or threat models and capabilities.
In the local authentication scenario, since the data are stored on the device, the same device is required in the registration and verification phases. But with remote authentication, we can register on device A and verify on device B. We just need to make sure that the data is authentic and fidelity, so in my opinion the registration and verification phases can be unified. We just need to make sure that biometric authentication is only as secure as the physical inputs and sensors used to gather it. 
Local authentication is used to prove that I am I, while remote authentication is mostly used to prove who I am. So there are very many cross-platform authenticators in local authentication, but I think what is needed for remote authentication is platform authenticator. Extending the ctap protocol may be a bit too limited. A new interface may be more appropriate. I do not know if I am making myself clear.
And lastly, a very big thank-you to @ve7jtb time and consideration. 


-- 
GitHub Notification of comment by thedreamwork
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1580#issuecomment-804041601 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 22 March 2021 12:59:54 UTC