- From: Joel Biddle via GitHub <sysbot+gh@w3.org>
- Date: Thu, 30 Nov 2023 13:55:00 +0000
- To: public-webauthn@w3.org
I'm going to mostly ignore the end of 3. for obvious reasons except to say that of course there are benefits in pushing WebAuthn for all of the players you mention; but there are huge benefits for users too both in security and in ease of use (the UX needs work as we all point out). Also what's not clear about how discoverable creds are created? It's not some conspiracy... you can create your own authenicator and get it FIDO certified. If you also want something more secure for your app and that still uses WebAuthn then derive keys using the PRF extension (unfortunately not available on all OS/client/authenticator combos) and hold the final login until these have been derived, set and the data decrypted (ie. E2EE). More than happy to share code if you're interested. And yep some of it is defintely "hacky" when trying to go usernameless and anon but ironically this actually gives your users greater privacy. Also I'm sure you've heard of the Signal Protocol - that's probably what you're looking for but it is very complex and probably easy to make a mistake. Like I said, some of what you're saying is great albeit mashed up with some topics that no-one wants to discuss, at least on GitHub. PS. you have "...not be mandatory (rp, CHALLENGE either) ..." in the issue title and also mentioned it. -- GitHub Notification of comment by ragnarbull Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1915#issuecomment-1833828424 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 30 November 2023 13:55:02 UTC