Discuss how to allow RP to determine correct Platform Authenticator name

webauthn-adoption / practical-webauthn

Showing and telling how to deploy WebAuthn / FIDO2 across several languages and frameworks

https://webauthn.how

BSD 3-Clause "New" or "Revised" License

14 stars 2 forks source link

Discuss how to allow RP to determine correct Platform Authenticator name #6

Open nicksteele opened 3 years ago

nicksteele commented 3 years ago

In reference to Issue #1563 from the Working Group, discuss potential privacy preserving solutions and, if necessary, additions to the specification that can help RP developers have more information about authenticators for a better user experience.

dontcallmedom commented 3 years ago

my sense is that the (proposal from the OP](https://github.com/w3c/webauthn/issues/1563#issue-802917745) in the original issue - i.e. sharing the name of the platform-default authenticator - would bring basically zero additional fingerprinting: determining what platform a web site is being rendered on is indeed already possible using a variety of other platform-specific exposed features. @nicksteele, do you know if that specific proposal had been considered in the WG and/or discussed with the Privacy IG?

nicksteele commented 3 years ago

The only thing we currently can expose is whether or not the client device has a platform based authenticator present, via the isUserVerifyingPlatformAuthenticatorAvailable(). However there has been much recent discussion in the WG issues (however, not on the working group calls) about how we can fix this. It was mentioned in the WG that we should discuss this issue in the CG, and try to determine solutions that don't allow RPs to fish for authenticator info. I'm not sure if this was discussed in the Privacy interest group.

My hope is we can discuss it on the call this week and then come back to the WG ( or FIDO TWG or Privacy IG) with potential solutions.

MasterKale commented 3 years ago

The best we can do on this front right now is infer the type of platform authenticator based on heuristics involving values returned by attestation. The conversation in the WG thus far has not been friendly to the idea of some kind of getUserVerifyingPlatformAuthenticatorName() as it could potentially be privacy-invasive vis-a-vis browser fingerprinting (as Nick mentioned above).

I think development of some kind of common heuristics model could definitely fall under the CG. Level 2 isn't going anywhere and so there's need of some kind of solution while this gets hashed out to maybe become a feature of a future Level...

FlxMgdnz commented 3 years ago

Just a quick recap on the idea, following today's call:

Adding something simple like getUserVerifyingPlatformAuthenticatorName() to WebAuthn would help RPs with introducing Platform Authenticator modalities to consumers, i.e., "non-enterprise" users
Would allow the platform to define how the specific Platform Authenticator may be introduced to the user by the RP website for enrollment and authentication use cases (e.g., "Use Touch ID to sign in" etc.)
May be an optional value
TBD: What if the Platform Authenticator has multiple capabilities? On Windows, this is solved by "Windows Hello". But what about a future Apple device with, e.g., both Face ID & Touch ID? First idea: getUserVerifyingPlatformAuthenticatorNames() and let the RP decide.