Re: [webauthn] <new proposal> Extending WebAuthn Protocol for Remote Authentication (#1580)

Ok. I do understand that you need the photos to make it back to the server for identity proofing. What I was trying to get at was whether those photos need to be full "biometric signals" that the server verifies _as biometrics_, or if the biometric matching could be kept on the client side while the server simply receives back a plain photo.

So I'm imagining that the server would not verify any biometrics, but instead trust the client's assertion that "this credential has been registered with facial recognition, and this (plain) photo shows the person registered". Later assertions would then assert that "the previously registered person has passed facial recognition for this credential", and the server can refer back to the original photo for audit logs and such. The plain photo wouldn't be enough on its own for the server to verify liveness, anti-spoofing, etc., but as long as the client (TEE) is trusted the server can trust the client's assurance that liveness- and anti-spoofing checks have been done.

It's a subtle difference, and I don't know if an approach like this would suffice for your applications - but if possible, it might make it easier to make the case that this still respects FIDO principles while still providing most of the capabilities you need (I think).

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Tuesday, 23 March 2021 08:42:18 UTC