WebAuthn minPinLength

[agl]

I'm requesting a TAG review of the minPinLength extension of CTAP 2.1, which would be exposed via WebAuthn.

In order to help organizations with meeting regulatory requirements, the current standard for security keys (CTAP 2.1) defines an extension called minPinLength. This allows the authenticator to report, when a credential is created, the authenticator's current configured minimum PIN length. Since the minimum can only be decreased by resetting the security key, which erases all credentials, an enterprise that uses this extension knows that the minimum was enforced whenever that credential is used.

• Explainer: https://github.com/w3c/webauthn/wiki/Explainer:-minPinLength
• Specification URL: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-minpinlength-extension
• Tests: https://chromium-review.googlesource.com/c/chromium/src/+/3256056/4/third_party/blink/web_tests/external/wpt/webauthn/createcredential-minpinlength.https.html
• Primary contacts (and their relationship to the specification):
  • Adam Langley (agl), Google
• Organization(s)/project(s) driving the specification: Microsoft

Further details:

• [x] I have reviewed the TAG's Web Platform Design Principles
• The group where the work on this specification is currently being done: FIDO

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a comment in this issue

[hadleybeeman]

Hi @agl! We're just having a look at this issue — it just seems that you're just adding this feature to WebAuthn. Are you expecting there to be any web architectural issues? Or is the issue just to ask if we see any?

We can have a look, but if you're just adding to WebAuthn and the ramifications will all be within WebAuthn, we don't need to check it. :)

[chrishtr]

We can have a look, but if you're just adding to WebAuthn and the ramifications will all be within WebAuthn, we don't need to check it. :)

Hi Hadley,

While this might end up being just a simple addition to WebAuthn, it's hard to tell with web platform features when this is the case, or if there is some other unforeseen complication or relation to another feature. That's why the Blink process asks for a TAG review for all new features, even if they appear to be very small.

If it would help, maybe there could be a bit TAG review requesters could set that says something like "I think this feature is trivial/very simple", but IMO it will still be hard to judge, for the reason mentioned above.

I think it'd be better if the TAG could just quickly review situations like this review, and if it does appear to be entirely simple and self-contained, just resolve the review as satisfied, with a comment delegating trust that the spec WG's consensus system already covered it.

[torgo]

Hi @agl @chrishtr thanks for this. We've spent some time going through it this week and we're happy with the design and happy with closing this based on the information provided. Great to see security being boosted on the web.