- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Tue, 19 Apr 2022 06:03:52 +0000
- To: public-webauthn@w3.org
So, some draft use cases. Especially as someone who implements an RP, and works with a lot of people deploying theirs, I think this boils down to a set of five possible scenarioes and workflows. Security Token (Public) ^^^^^^^^^^^^^^^^^^^^^^^ In this use case, we want our authenticator to be a single factor to compliment an existing password. Instead of an authenticator, a TOTP scheme could alternately be used where either the TOTP or authenticator plus the password is sufficient to grant access. Generally in this use case, most identity providers do not care about attestation of the authenticator, what is more important is that some kind of non-password authentication exists and is present. Step wise this would appear as: Registration: 1. The user indicates they wish to enroll a security token 2. The identity provider issues a challenge 3. The browser lists which authenticators attached to the device *could* be registered 4. The user interacts with the authenticator (*note* a pin should not be requested, but fingerprint is okay since it's "transparent") 5. The authenticator releases the signed public key 6. The authenticator is added to the users account Authentication: 1. The user enters their username 2. The user provides their password and it is validated (*note* we could do this after webauthn) 3. The user indicates they wish to use a security token 2. The identity provider issues a webauthn challenge, limited by the list of authenticators and transports we know are valid for the authenticators associated. 5. The browser offers the list of authenticators that can proceed 6. The user interacts with the authenticator (*note* a pin should not be requested, but fingerprint is okay since it's "transparent") 7. The authenticator releases the signature Security Token (Corporate) ^^^^^^^^^^^^^^^^^^^^^^^^^^ This is the same as the public use case, except that in many corporations we may want to define a list of trusted providers of tokens. It's important to us here that these tokens have a vetted or audited supply chain, and we have an understanding of "where" the cryptographic material may reside. For this example, we likely want attestation, as well as the ability to ensure these credentials are not recoverable or transferable between authenticators. Resident Key may or may not be required in these cases. Since these are guided by policy, we likely want to have our userinterfaces guide our users to register or use the correct keys since we have a stricter list of what is accepted. The changes to the workflow in this example are based in the registration. Registration: 1. The user indicates they wish to enroll a security token 2. The identity provider issues a challenge, with a list of what transports of *known* approved authenticators exist that could be used. 3. The browser lists which authenticators attached to the device *could* be registered, per the transport list 4. The user interacts with the authenticator (*note* a pin should not be requested, but fingerprint is okay since it's "transparent") 5. The authenticator releases the signed public key 6. The identity provider examines the attestation and asserts it is from a trusted manufacturer 7. The identity provider examines the enrollment, and asserts it is bound to the hardware (IE not a passkey/backup) 8. The authenticator is added to the users account Passwordless (Public) ^^^^^^^^^^^^^^^^^^^^^ In this example, rather than having our authenticator as a single factor, we want it to be truly multifactor. This allows the user to login with nothing but their authenticator. As a result, we need to strictly verify that the authenticator did a valid user verification. Given that the authenticator is now the "sole" authenticator (even if multi-factor) we are more likely to want attestation here using privacy features granted through indirect attestation. That way we can have a broad list of known good security token providers that we accept. Registration: 1. The user indicates they wish to enroll a security token 2. The identity provider issues a challenge 3. The browser lists which authenticators attached to the device *could* be registered 4. The user interacts with the authenticator - user verification MUST be provided i.e. pin or biometric. 5. The authenticator releases the signed public key 6. The identity provider asserts that user verification occured 7. (Optional) The identity provider examines the attestation and asserts it is from a trusted manufacturer 8. The authenticator is added to the users account Authentication: 1. The user enters their username 2. The identity provider issues a webauthn challenge 3. The browser offers the list of authenticators that can proceed 4. The user interacts with the authenticator - user verification MUST be provided i.e. pin or biometric. 5. The authenticator releases the signature 6. The identity provider asserts that user verification occured Passwordless (Corporate) ^^^^^^^^^^^^^^^^^^^^^^^^ Again, this is similar to above. We narrow and focus this use case with a stricter attestation list of what is valid. We also again want to strictly control and prevent cryptographic material being moved, so we want to ensure these are not transferrable. We may want resident keys to be used here too since we have a higher level of trust in our devices now too. Again, we also will be able to strictly guide UI's due to our knowledge of exactly what devices we accept. Registration: 1. The user indicates they wish to enroll a security token 2. The identity provider issues a challenge, with a list of what transports of *known* approved authenticators exist that could be used. 3. The browser lists which authenticators attached to the device *could* be registered, per the transport list 4. The user interacts with the authenticator - user verification MUST be provided i.e. pin or biometric. 5. The authenticator releases the signed public key 6. The identity provider examines the attestation and asserts it is from a trusted manufacturer 7. (Optional) The identity provider asserts that a resident key was created 8. The identity provider examines the enrollment, and asserts it is bound to the hardware (IE not a passkey/backup) 9. The identity provider asserts that user verification occured 10. (Optional) The identity provider asserts the verification method complies to policy 11. The authenticator is added to the users account Usernameless ^^^^^^^^^^^^ Usernameless is similar to passwordless but *requires* resident keys as the username of the account is bound to the key and discovered by the client. Otherwise many of the features of passwordless apply. It's worth noting that due to the complexity and limitations of resident key management *it is not feasible* for any public service provider to currently use usernameless credentials on a broad scale without significant risk of credential loss. As a result, we limit our use case to corporate only, as they are the only entities in the position to effectively manage these issues. Registration 1. The user indicates they wish to enroll a security token 2. The identity provider issues a challenge, with a list of what transports of *known* approved authenticators exist that could be used. 3. The browser lists which authenticators attached to the device *could* be registered, per the transport list 4. The user interacts with the authenticator - user verification MUST be provided i.e. pin or biometric. 5. The authenticator releases the signed public key 6. The identity provider examines the attestation and asserts it is from a trusted manufacturer 7. The identity provider asserts that a resident key was created 8. The identity provider examines the enrollment, and asserts it is bound to the hardware (IE not a passkey/backup) 9. The identity provider asserts that user verification occured 10. (Optional) The identity provider asserts the verification method complies to policy 11. The authenticator is added to the users account Authentication: 1. The identity provider issues a webauthn challenge 2. The browser offers the list of authenticators that can proceed 3. The user interacts with the authenticator - user verification MUST be provided i.e. pin or biometric. 4. The authenticator releases the signature 5. The identity provider asserts that user verification occured 6. The identity provider extracts and uses the provided username that was supplied -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1720#issuecomment-1102126655 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 19 April 2022 06:03:53 UTC