- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Mon, 24 Jan 2022 01:53:59 +0000
- To: public-webauthn@w3.org
> Your points about extensions being optional and easy for browsers or authenticators to ignore (or be incapable of supporting) is a valid one. I don't know what a path forward is now...tell RP's to let passkeys happen and forget about `devicePubKey` since it can't reliably achieve its intended goal of supporting pre-passkey operation before passkeys deploy? Pretty much. IMO the ship has sailed. We live in a world where passkey will become common. Regardless, any proposal like this needs to not only demonstrate "how passkey + dpk can be enforced" but also the inverse - how it can be correctly asserted that a non-passkey credential, or a passkey credential without dpk can be asserted. If you can not demonstrate these three combinations, the suggestion is already flawed. > > > And at the point someone has access to my google, they have my email and can reset all my account passwords anyway. So what is this really defending from? > > I think this highlights a flaw in passkeys: that now there is an avenue to phish users when originally the spec made WebAuthn-based authentication phishing resistant. Is that trade off worth it for an actual account recovery story for the consumer market? Given that almost every single RP in the world has amazingly failed at multi-device authentication considerations, yes it is necessary. To drive this home, let's consider I want to use my ipad with an RP for example. Pretty much every RP today has a story like this, so I won't bother naming one. Assume I have password + webauthn configured. But the webauthn authenticator is a yubico 5c nano. That can not connect to my ipad. As a result to add my account to my ipad I must: 1. Configure TOTP (likely on a phone with freeotp as an app) on my RP account 2. Send the password (long, machine generated) to my ipad via some out of band means (perhaps signal note to self, icloud notes sync, or icloud keychain. Who knows) 3. Login by copy-pasting the password, and then typing out the TOTP from my phone into the ipad 4. Go to my account settings 5. Copy-paste the password again to access my account settings to re-validate it's me 6. Enroll my ipad touch id as a webauthn device. 7. Remove TOTP from my account and freeotp. This is the workflow most RP's provide. It's horrible. It's unfriendly. It has weaknesses everywhere. So of course passkey and device sync was the inevitable outcome, especially from a company that has a focus on usability like Apple. RP's still demand a password, and they make adding another device painful. Apple Keychain sync and passkey sync makes this painless to move between your devices in a way that RP's have failed to consider. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1019640020 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 24 January 2022 01:54:01 UTC