w3c / webcrypto

The W3C Web Cryptography API
https://w3c.github.io/webcrypto/
Other
265 stars 54 forks source link

standardize device biometrics / PIN check as a 2nd factor to support web crypto operations #354

Open prime2358 opened 1 year ago

prime2358 commented 1 year ago

The first use case of web crypto, mentioned by the specs is multi factor authentication: https://www.w3.org/TR/WebCryptoAPI/#multifactor-authentication

Since biometrics / PIN access is used in native apps as a second factor to crypto operations (implemented by web crypto on the web), I think web crypto standard would be the right place to standardize a simple biometrics / PIN check (above different native platform APIs) like (just an inital suggestion):

subtle.crypto.verifyUser(option, timeout = 100_000)

This would be like a second factor for any (!) crypto operation where it makes sense: like signing challenges or decrypting data.

Example use cases (2):

Apple, Google, Microsoft platforms have different classification of "device unlock" security levels, it would be great to achieve a good definition of what is considered STRONG.

prime2358 commented 1 year ago

EXTRA info:

I rephrased https://github.com/w3c/webcrypto/issues/351 with better understandable use cases. I stress that what I propose here is an extension to multiple(!) WEB CRYPTO functionality with a 2nd factor and not a full authentication solution that is webauthn.

Webauthn standard has nothing to do with decryption, for example.

Webauthn cannot be used for simple biometrics checks, it is coupled to creating and getting private keys in a pass manager system.

Web crypto enabled us to use private keys in the browser. What is proposed here, in addition to other use cases like decryption, to ENHANCE the current WEB CRYPTO implementation of BROWSER stored private key signing with a 2nd factor of biometrics check that proves that the device owner executes a command.

Even in this use case, it is not duplicating webauthn functionality. It is providing a biometrics enhancement of browser stored private keys that is usually a part of a different authentication system than the passkey approach.

Netflix has a WEB CRYPTO based approach where email/password is an inital sign in and recovery, access tokens and web crypto keys manage keeping the device signed in. This works with people having a paper based password system and emails, works on all platforms (linux) with or without any pass managers(!), now. For accessing local encrypted data or performing sensitive server side actions with already signed in devices (managed by WEB CRYPTO) it would be a great 2nd factor to provide biometrics check capability, uncoupled to any alternative full scale authentication method that requires pass manager usage.

Another approach is https://github.com/w3c/webcrypto/issues/350 where you couple web crypto operations to biometrics/PIN checks. As of now I do not really see why it is better than just having a biometrics check with yes/no result but it may guide implementors to use biometrics check by crypto operations where it really makes sense like signing or decrypting. As of now, I am supporting a well separated biometrics check as proposed here.

I would really like to keep this suggestion open for at least a year to be discovarable by others and listen to others.

I found it very rude that a single person shuts a discussion down before even getting views from multiple people.

I cannot accept an argument that this is some kind of duplication of webauthn and webauthn should be changed instead. I think the person who states this has no idea what webauthn is and how unrealistic it sounds. I spent a lot of time with webauthn, implemented it successfully, I know webauthn standard, I implemented web crypto encryption/decryption and web crypto ECDSA private keys and access tokens and signing and all of this. I really know what I am talking about.

I am totally open to security arguments from people who are much better in security than I am but it is nonsense that you can use webauthn for above purposes that is clearly a biometric capability extension of the use cases of THIS standard.

It may be a competing approach to passkeys to use browser based private keys and biometrics and keep passwords, but it is a healthy competition and not at all a duplication. I do not see any suggestions to abolish browser based private keys just because we have passkeys now?

As Apple stated, passkeys are a replacement for passwords. I suggest NOT a replacement for passwords but a biometrics enhancement of different web crypto capabilities, one is adding security to signed in browsers via biometrics, where web crypto keeps the browser signed in.