Re: [webauthn] Don't be so strict about uv with the PRF extension. (#1836) from John Bradley on 2023-01-25 (public-webauthn@w3.org from January 2023)

From: John Bradley <jbradley@yubico.com>
Date: Wed, 25 Jan 2023 09:04:56 -0300
To: Matthew Miller via GitHub <sysbot+gh@w3.org>
Cc: public-webauthn@w3.org
Message-ID: <CAEY7Pj-Q2me6dM_gehOTU6aundkRW6a9USyQ_2Fba_19KQutHA@mail.gmail.com>

If Apple followed the pattern of other browsers and set a pin on make
credential if uv is preferred then preferred would make more sense.

Then preferred would always do UV and return the secure PRF.

I can see someone making a credential in Safari with prefers and no pin
then using it in chrome with preferred where it would set a pin on first
use then the RP would get the wrong result unless they are very careful
about checking uv and making a second request with Uv discouraged in that
case.

I understand PRF would work with uv prefered but may seem too complicated
to RP.

In a world with Apple I think making UV required or discouraged will make
it more deterministic for RP.   For the ones that want required they will
have to live with the edge cases of people who have not set up UV not being
able to make credentials in Safari and getting the password prompt on some
MacOS systems.

John B.

On Wed, Jan 25, 2023 at 12:00 AM Matthew Miller via GitHub <sysbot+gh@w3.org>
wrote:

> > I think the stronger wording was fine because I think RP's should know
> there are risks of changing between the UV types, and so consistency is
> important.
>
> After dabbling with `prf` last week I think I have to second this notion.
> Most of the hype around this extension are people wanting to implement
> client-side E2EE. It feels like a foot gun to leave the door open for RP's
> to build out functionality that sometimes fails (catastrophically, in the
> case of encryption) because a browser decides that `"preferred"` actually
> means "evaluate the non-UV prf because UV isn't configured", missing the
> nuance being introduced here that the UV prf should be evaluated "...if it
> is capable of it..."
>
> `"preferred"` is already fraught with inconsistent behavior, as recent
> conversations in the WG have highlighted. Is it in our best interest to
> continue to encourage ambiguous implementations of WebAuthn around this
> value, when practically speaking UV should almost always be required or
> discouraged depending on the RP's authentication model?
>
> --
> GitHub Notification of comment by MasterKale
> Please view or discuss this issue at
> https://github.com/w3c/webauthn/pull/1836#issuecomment-1403030608 using
> your GitHub account
>
>
> --
> Sent via github-notify-ml as configured in
> https://github.com/w3c/github-notify-ml-config
>
>

Received on Wednesday, 25 January 2023 12:05:20 UTC