- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Fri, 11 Feb 2022 21:28:19 +0000
- To: public-webauthn@w3.org
@emlun Thank you for the typing all of that out. I really appreciate your insight, and how you framed it as graduated approaches to building trust in security models that incorporate WebAuthn. > In this scenario, the RP may require UV for some interactions, for example as an alternative to a traditional password, but isn't really worried about the flag's authenticity. If the user happens to be using an honest authenticator and browser, which most users probably will, then this gives a reasonable assurance that UV was probably actually performed. > > ... > >So in this case the RP is nudging the user towards higher security, and for most users most of the time, that nudge will be enough. The RP might request and store attestation statements for future reference - for example to warn users if an authenticator model is discovered to be insecure - but it's not strictly necessary since much like the previous scenario, the RP largely "trusts" the user to not do anything stupid. Especially if the RP also factors in other signals like geolocation data, this might be the best balance of security, usability and customizability. This sounds like the model of trust most RPs will end up with as passwordless auth becomes more ubiquitous, especially non-IdPs that roll their own UX. It makes sense that _most_ users will interact with WebAuthn using typical authenticators (if only platform ones in the consumer space), and that there are other ways for an attacker to gain access to a user's account on a compromised machine that leave the user with more problems than WebAuthn authentication concerns. Thank you again. You've definitely helped me talk about this with others more intelligently going forward 🎉 -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1698#issuecomment-1036639247 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 11 February 2022 21:28:20 UTC