On 7/4/23 20:12, Michael Thomas wrote:
As far as can tell there's a glaring hole in current IETF authentication protocols in that we don't have general purpose protocol support (not something that requires or expects a web browser) for (a) multi-factor authentication and (b) hardware keys.I think one of the biggest weaknesses of webauthn is that it has made hardware keys the enemy of software keys. For a huge swath of authentication needs, software private keys would be completely sufficient. I don't want to require a hardware frob to log into facebook or some other lame site. I don't want my laptop being obsoleted because it doesn't have a camera or finger print detector. The introduction of hardware with the FIDO stuff in webauthn makes it ridiculously more complicated and for no appreciable gain in security for the average case. I'm fine with hardware for my bank accounts whose companies can afford to figure this out, but the goal should be to make public key authentication drop dead simple for the rest and webauthn is definitely not that.
I guess I think that the authentication standards should be agnostic about what kind of authentication is used, that should be up to the service requiring authentication to decide. But every protocol should have at least one robust authentication method available that can be implemented purely in software and without using anything proprietary. (If a service wants to require some sort of proprietary frob to authenticate to that service, I guess that's up to them, but the standards should facilitate secure authentication between any two cooperating parties.)
Keith
