- From: Jean Dim via GitHub <sysbot+gh@w3.org>
- Date: Thu, 13 Oct 2022 14:41:24 +0000
- To: public-webauthn@w3.org
JeanDim has just created a new issue for https://github.com/w3c/webauthn: == Possibility to filter diplayed authenticators by certified level == ## Description Dear webAuthn community, I would like to submit this use case: Possibility to filter diplayed authenticators by certified level The rationale is the following: As several [FIDO security levels](https://fidoalliance.org/certification/authenticator-certification-levels/) exist for authenticator, a relying party (a bank for instance) could rely on these to evaluate the level of trust and confidence of user authentication. Many factors can be taken into account such as regulation, requested action sensitivity, user environment, fraud history … Therefore, depending on such factors a relying party may adjust FIDO security level of accepted authenticators for a given user or context. How a RP could do so? Especially without impacting user experience in a negative way? One use case could be: 1. A bank, for security reason, only accept authenticator level 3 certified (as example). 2. When the RP (the bank) prompts user for credential creation (enrolment) the browser displays the authenticators detected (platform or roaming) - without any certification-based filtering. 3. Therefore, a user selects an random (or favorite) authenticator (without info regarding authenticator certified level) 4. The authenticator provides the attestation to the RP (the bank) 5. The bank checks authenticator certification level with Fido MDS (or use whitelist / blacklist with authenticator AAGUID) 6. Then banks rejects the enrolment due to security policy ==> The authenticator still have credential created but not usable (as RP rejects it at the end), the user may be confused, there is no way for the user to identify certified level 3 authenticator at this stage Without the possibility to filter authenticator prior credential creation a bank may fall back with another authentication method, such as banking app, KBA or OTPs (multi-channels). Would it be possible to considere adding such filtering feature for a relying party, through webAuthn / CTAP protocol? ## Related Links - https://fidoalliance.org/certification/authenticator-certification-levels/ Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1816 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 13 October 2022 14:41:26 UTC