W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

From: Daniel Nagy via GitHub <sysbot+gh@w3.org>
Date: Fri, 24 Jun 2022 15:04:25 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1165664079-1656083064-sysbot+gh@w3.org>
My company is planning on implementing password-less auth using text message verification codes. I decided to investigate Webauthn as an alternative to sending text messages, primarily to reduce the cost of sending text messages. However, I don't think I can recommend Webauthn as a replacement for sending text messages for password-less auth.

I think the concern of authenticating from multiple devices is real. While using a smart phone as a roaming authenticator, at least in the US, sounds promising. It is still susceptible to the phone being lost, stolen, broken, restored, or replaced. At which point the user would be locked out and a second form of authentication will be necessary to restore access. At least with text messages, the user would regain access as soon as they could start receiving text messages again. It is also unclear what the flow would be to get the user to use their phone as the authenticator when they are registering, for the first time, from their laptop for example.

I don't think it is reasonable to expect people to use a secondary external device to authenticate on their phone. In other words, I don't think it is reasonable to expect people to plug a yubikey into their phone to authenticate. At least not at this time.



-- 
GitHub Notification of comment by daniel-nagy
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-1165664079 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 June 2022 15:04:27 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC