W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used (#1691)

From: Anders Rundgren via GitHub <sysbot+gh@w3.org>
Date: Wed, 26 Jan 2022 04:49:11 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1021858060-1643172550-sysbot+gh@w3.org>
@arshadnoor The core problem is that passwords are portable while platform authenticators are not, making the dream eliminating passwords unrealistic.  Obviously there will be RPs that won't bother with multi-device passkeys.  If this feature becomes a part of the attestation all will be good although it will require minor RP software updates.  A FIDO ecosystem that only supports a handful of RPs may not even be sustainable.

A major problem with the original FIDO concept is that the market known as "retail" (consumer) banking is now faced with a FIDO powered payment authorization standard that greatly underperforms compared to the banks' own proprietary "app" solutions, not to mention Apple Pay.  If you take a look at "settings" in Chrome and Edge you will find payment methods.  That is, payment instrument metadata is already there but the WebAuthn folks came to the conclusion that it is better that users keep their current plastic cards at hand when paying rather than connecting the dots (**Trusted UI** + **Strong authentication**  + **Payment instrument meta data** = **Wallet**).  The rationale for this decision (which has considerable privacy, UX, and deployment downsides), has never been discussed in open so I guess there must be an underlying commercial issue.  However, it gets worse; the in Europe quite popular "PayWithYourBank" schemes require yet another and quite awkward standard-to-be, while (re)using the already existing meta data would (almost) work right out of the box!


-- 
GitHub Notification of comment by cyberphone
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021858060 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 26 January 2022 04:49:13 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:44 UTC