W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2021

Re: [webauthn] <new proposal> Extending WebAuthn Protocol for Remote Authentication (#1580)

From: The via GitHub <sysbot+gh@w3.org>
Date: Tue, 23 Mar 2021 12:41:46 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-804871017-1616503304-sysbot+gh@w3.org>
It is worthy of our serious consideration of how to combine existing protocols. From our current proposal, we are also trying to extend the WebAuthN specifications. We have learned these lessons from it. 

- The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device. However, the reality is that there are indeed many scenarios that require the user's real identity. Many times we need to know who is really on the other end of that internet connection. This offers a far higher degree of confidence in the identity and that the owner of the identity is present. Our any modifications to the FIDO protocol will change its principles.
- FIDO mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. It has proven to be very successful in some uses. Over the years, people have used more secure and convenient alternatives to passwords. Our mission is to make the Internet more authentic and reliable. With the development of the Internet, cyber security risks have also changed significantly. Those counterfeiting, tampering, fraud are extremely common nowadays. We tried to address some of the emerging issues.
- And I think remote and local authentication are not confronted with each other and can supply each other. For example, user  can go through eKYC step to re-register the new authenticator for account recovery. Naturally, authenticity of data is the basis of eKYC. On the other hand, Once we get an identification through the KYC process, we can use it to do authentication. Just like [eID schemes](https://fidoalliance.org/webinar-fido-eidas-providing-secure-and-seamless-electronic-services-in-the-eu-2/) rolled out across Europe.
- The computing power of today's devices in a trusted execution environment is still limited. We are not yet able to implement very complex functions in the Secure Environment (e.g. Image Recognition). Many applications will be more convenient for us to handle in the cloud. We need to ensure the authenticity of these data. These already have a very large number of application scenarios. 

Thank you very much for @emlun consideration. We are also thinking about how to build a new interface to meet as many needs as possible. Do you have any suggestions or experiences to share?

-- 
GitHub Notification of comment by thedreamwork
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1580#issuecomment-804871017 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 23 March 2021 12:41:48 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC