Re: [webauthn] WebAuthn available to Workers? aka "silent authentication" (#199) from Yusi (James) Zhang via GitHub on 2022-12-06 (public-webauthn@w3.org from December 2022)

From: Yusi (James) Zhang via GitHub <sysbot+gh@w3.org>
Date: Tue, 06 Dec 2022 22:35:00 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1340102654-1670366099-sysbot+gh@w3.org>

This might be re-opening an old discussion thread and if that's the case, sorry.

I want to point out one use case where silent authentication would be useful: SSH with SK (see https://www.openssh.com/txt/release-8.2) in web.

In particular, for enterprises using certificate-based SSH, storing certificates inside security keys is a natural design and can be implemented via the [largeBlob extension](https://w3c.github.io/webauthn/#sctn-large-blob-extension). However, for security, issuance of SSH certificates should require some attestation of the public key. If the enterprise chooses to use, for example, a Webauthn create call to generate the SSH public key and its attestation, setting up an SSH session requires at least two Webauthn calls. The UX would be confusing.

I'm vaguely thinking, if some form of silent authentication is available, we might be able to have a Webauthn-based implementation with much better UX. But of course, the relevant details, especially security implications of any potential changes to CTAP2 for this, need to be carefully crafted.

-- 
GitHub Notification of comment by James-ZHANG
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/199#issuecomment-1340102654 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 6 December 2022 22:35:02 UTC