[webauthn] Add support for SRP (or some other PAKE) in WebAuthn (#1960) from Fredrik Tolf via GitHub on 2023-09-08 (public-webauthn@w3.org from September 2023)

From: Fredrik Tolf via GitHub <sysbot+gh@w3.org>
Date: Fri, 08 Sep 2023 20:21:00 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1888280415-1694204459-sysbot+gh@w3.org>

dolda2000 has just created a new issue for https://github.com/w3c/webauthn:

== Add support for SRP (or some other PAKE) in WebAuthn ==
WebAuthn currently standardizes support for RSA and EC public/private keypairs. It can perhaps be argued that it would be nice if support for the Secure Remote Password protocol, and/or some other PAKE like OPAQUE, were added as a standard algorithm.

Unless I misunderstand something, a good PAKE (like OPAQUE) with a randomly generated password is no less secure than a RSA or EC key, but supporting a PAKE algorithm would also extend the usefulness of WebAuthn to using passwords in a much more secure manner.

It could perhaps be argued that websites can implement PAKE algorithms on their own without needing it integrated into WebAuthn, but having it in WebAuthn would be nice, partly in that it would encourage adoption on more websites, and partly because it could allow a user to choose between passwords and other WebAuthn mechanisms through the same browser-based mechanism, without websites need multiple authentication options in addition to WebAuthn also allowing multiple suboptions.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1960 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 8 September 2023 20:21:03 UTC