Re: [webauthn] Add a way to use webauthn without Javascript (#1255) from Ignas Kiela via GitHub on 2025-01-23 (public-webauthn@w3.org from January 2025)

From: Ignas Kiela via GitHub <sysbot+gh@w3.org>
Date: Thu, 23 Jan 2025 21:57:11 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2611100100-1737669430-sysbot+gh@w3.org>

> Researchers have experimentally added FIDO support to TLS as an alternative client authentication method. For example, see https://sar.informatik.hu-berlin.de/research/publications/SAR-PR-2021-02/SAR-PR-2021-02_.pdf.
> 
> Obviously that would require the TLS server to support FIDO and the TLS client (i.e. Browser) to do so as well. This approach addresses the channel binding aspect as well as the inconsequential nature of the token binding approach (see [#2239 (comment)](https://github.com/w3c/webauthn/pull/2239#issuecomment-2607222212)).
> 
> Would that address the concerns of using JavaScript?

While this is pretty cool, I don't think this is a good way to get more webauthn adoption. It would essentially move authentication into the TLS termination layer, which in most common web app deployments is a reverse proxy that does not handle authentication at all. Handling webauthn in HTML would meet most RPs where they are at, while handling it in TLS would require quite a lot of changes for them.

-- 
GitHub Notification of comment by ignaloidas
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1255#issuecomment-2611100100 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 23 January 2025 21:57:12 UTC