On 7/4/23 20:12, Michael Thomas wrote:
As far as can tell there's a glaring hole in current IETF authentication protocols in that we don't have general purpose protocol support (not something that requires or expects a web browser) for (a) multi-factor authentication and (b) hardware keys.I think one of the biggest weaknesses of webauthn is that it has made hardware keys the enemy of software keys. For a huge swath of authentication needs, software private keys would be completely sufficient. I don't want to require a hardware frob to log into facebook or some other lame site. I don't want my laptop being obsoleted because it doesn't have a camera or finger print detector. The introduction of hardware with the FIDO stuff in webauthn makes it ridiculously more complicated and for no appreciable gain in security for the average case. I'm fine with hardware for my bank accounts whose companies can afford to figure this out, but the goal should be to make public key authentication drop dead simple for the rest and webauthn is definitely not that.
I guess I think that the authentication standards should be agnostic about what kind of authentication is used, that should be up to the service requiring authentication to decide. But every protocol should have at least one robust authentication method available that can be implemented purely in software and without using anything proprietary. (If a service wants to require some sort of proprietary frob to authenticate to that service, I guess that's up to them, but the standards should facilitate secure authentication between any two cooperating parties.)
As far as I can tell, it doesn't seem that webauthn specifically
excludes non-hardware credentials, but the last time I checked
browser support is either non-existent or extremely obscure
(Firefox requires an about:flags or whatever toggle, Chrome
doesn't support it at all). Suffice it to say, I gave up trying
to get it to work even though I was intimately familiar with what
they were trying to achieve. This doesn't need to be difficult and
frankly reeks of hardware dongle vendors self-interest to make
this impossible otherwise. That was extremely disappointing.
I have thought about bringing my webcrypto-only login/enrollment
to IETF for standardization but I'm not sure what the venue might
be. It doesn't require webcrypto per se -- webcrypto is just a
shim of normal crypto available to anything that has crypto
library access, after all. So it would work for anything -- native
apps, headless apps, etc. But it seems to be pushing on string for
anybody to care. Vested Interests for $2000, Alex. It's the curse
of public key cryptography in general.
Mike