[webauthn] Tech and business plan injection - a roadmap - The Key Smith story (#1834)

GregorGT has just created a new issue for https://github.com/w3c/webauthn:

== Tech and business plan injection - a roadmap - The Key Smith story ==
How do we solve the login problem?
It is an intriguing and complex problem, perhaps it is most reasonable to look at the problem from an abstract perspective or from a perspective that has nothing to do with the virtual process of login into a webside.
Where else does one find a process where people that like to enter a realm have to go through some sort of portal.
Well that very sentence may already give a clue for an answer. A door or portal. A door a gate between two different realms, an outside world and a space that is differentiated from that world by a wall to give protection creating a space to do something within it. Now the door has evolved for thousands of years and everything that is associated with the process of entering a blocked real space.
How does a door mostly protect from these two spaces, it has a lock and a key that goes into the lock.
These keys and locks are so versatile and necessary that an entire industry around it is striving. 
By having looked at the door, lets summarize two key aspects that may come in handy:
A) For a complex problem have a versatile tool, in this case a software tool that can be used and modified
B) According to each case it will makes sense to have a profession that can customize login solutions for different clients and needs

B) Is something that can be done by a business plan. Where it is defined how money can be spend to foster and pay a craftsmanship that will customize and take care of login problems. These solutions and professions will vary from case to case from simple one click logins (for accounts that don’t need proper protections), to multi factor and authentication mechanism and vary in price and range. Now to let these software craftsmanship strive it is important to give them guidance with cost tables guiding them through a period where they will have to calibrate their own cost tables and techniques, until this profession can be learned and is well established in society. I personally, have created such tables (where people have to pay for virtual keys, and virtual doors with a lower complexity margin so that simple logins are free of charge). I am looking forward to other ideas and will only go into more detail when asked (I am looking forward to it).
 
A) This is a more complicated problem. How to we give these electronic key smiths a tool and a user a tool so that they can customize, custom order a login mechanics?
I think that there are two key technologies here that can answer this question. Lets start from the bottom and build up the tech.
The first part is a token another would be a public and private key. Now a token can be modified and crafted into something like a public and private key, where one part is stored on the users side and the other on the server. Both parts of that toke can give access to an account. Combined with a software tool on the user side this would allow a user to login with a single click of a button. Fore more secure login mechanisms it would be essential to have a technology that lets a server/platform or user know when someone is attempting to login. Just like a camera can monitor a door. For that another tech can give rise to an entire industry that can hook into it. When the server is listening for the key or for that other parts of the toke it can use hidden tokens (that are more likely to be triggered by the hacker) that are hidden within that toke or private key. As an example lets use a token that is split into a token of one single symbol and 12 more symbols on the client side. Now if someone is attempting to discover that token via brute force the shorter one symbol long toke is more likely to be triggered on the server side if it listen for it. And voile we have a virtual trigger where and entire industry can hook in. For instance this trigger can let the user know that someone is breaking in. That trigger can tell the server to remove the virtual door for a certain amount of time or for ever so that the attempt of breaking in fails. But the answer to the question of what to do here is so versatile from case to case that it may be answered by an industry specializing on it. 
Now we have our basic building blocks. Now the question remains. What is the second tech or how do we use these key, token and what not to give electronic key smiths a simple tool so that they can craft virtual doors and virtual keys for every single login?
For that we can put them into a tree. Where every token, part of a token or key is associated with a step of logging in. To keep things simple, lets call these trees token trees.
So a branch of that tree can be associated with a login. Now the software craftsmanship will have to learn how to create these trees, of course with the help of a software and other tools, and the server will have to know how to read and process bits and peaces that are associated with these tokens. Now every token in a branch can stand of a different technology that can be hooked into the process via putting it into the tree (Pins, Finger print scans, etc.). That is a tool that a specialized occupation can now use to make a living and profit with.
There is of course more to the token tree (that is split between a user and a server) as I am going to write here, but if you are interested, I am looking forward to discuss it further.

Of course there are a lot of questions unanswered here (I do have answers for them, but am looking forward to other answers)
- How do we provide these tools to platforms that don’t have the software integrated?
- How do we allow people to share these token trees between different devices
- etc.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1834 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 16 December 2022 13:44:21 UTC