09:03:54 <RRSAgent> RRSAgent has joined #webauthn
09:03:54 <RRSAgent> logging to http://www.w3.org/2016/09/21-webauthn-irc
09:03:55 <tripu> tripu has joined #webauthn
09:04:03 <RobTrace> RobTrace has joined #webauthn
09:04:28 <nadalin> nadalin has joined #webauthn
09:04:28 <mikepie> mikepie has joined #webauthn
09:04:34 <alastairc> alastairc has joined #webauthn
09:05:35 <alexei-goog> alexei-goog has joined #webauthn
09:06:01 <teddink> teddink has joined #webauthn
09:07:27 <liam> liam has joined #webauthn
09:07:49 <aaronpk> aaronpk has joined #webauthn
09:08:54 <vivien> vivien has joined #webauthn
09:09:02 <sandro> sandro has joined #webauthn
09:09:02 <tantek> tantek has joined #webauthn
09:09:05 <Yoshiro> Yoshiro has joined #webauthn
09:09:14 <wseltzer> Meeting: TPAC 2FA Breakout
09:09:17 <ted> ted has joined #webauthn
09:09:17 <Jean-Gui> Jean-Gui has joined #webauthn
09:09:34 <tantek> How many Nickservs in the channel?
09:12:48 <aaronpk> q+ to demo!
09:13:32 <vivien> Another democcccccevieuitgtvuthllhnurbrnvvgccbkhcijvihjg
09:14:20 <ted> s/democcccccevieuitgtvuthllhnurbrnvvgccbkhcijvihjg//
09:15:54 <Tomoyuki> Tomoyuki has joined #webauthn
09:16:02 <Tomoyuki> Tomoyuki has left #webauthn
09:16:31 <tantek> q?
09:16:55 <ted> alexei gives demo on u2f@github, shows various makes of hw keys and explains the communication methods different ones support (usb, nfc, bt)
09:18:06 <wseltzer> q+
09:18:14 <ted> rob demonstrates ms windows built in features for pin or facial recognition
09:18:25 <Zakim> aaronpk, you wanted to demo!
09:18:39 <ted> q+ aaronpk
09:19:15 <ted> authenticator from phone to windows via bt
09:19:45 <ted> webauthn meant to provide a uniform api to be able to speak to this multitude of different types of devices
09:22:55 <ted> alexei shows yubikey registration on dropbox, mentions how this is usable by public sites and enteprises
09:23:18 <sandro> wondering how I search on Amazon for the right kind of device....
09:24:49 <ted> i think search was on u2f key (to be non-manufacturer specific)
09:25:58 <ted> aaron shows indieauth which is a service to abstract out and permit user to choose oauth or other services the user prefers
09:26:27 <ted> eg using github, fb, twitter or other service
09:27:59 <ted> federated login but not choosing one explicitly as many sites do "log in with facebook"
09:28:03 <alastairc> alastairc has joined #webauthn
09:29:47 <alastairc> q+ to ask about what happens when a user looses the hardware key?
09:30:49 <Zakim> liam, you wanted to ask what happens when you lose the d*mn things or don't have one with you, or when they are stolen
09:30:58 <naomi> naomi has joined #webauthn
09:31:35 <ted> liam points out two problems - loosing key and someone finding/stealing and then using key
09:32:50 <ted> alexei responds that use case is exactly why they recommend using these keys as a second and not sole factor
09:35:58 <vivien> q+ to ask about accessibility
09:36:26 <vivien> q+ lisa
09:36:30 <Zakim> alastairc, you wanted to ask about what happens when a user looses the hardware key?
09:38:15 <ted> how do you support users that have lost or break their key?
09:38:38 <Tomoyuki> Tomoyuki has joined #webauthn
09:38:50 <Tomoyuki> Tomoyuki has left #webauthn
09:39:11 <ted> suggestion is that people keep a spare and have both registered (enteprise example but applicable to websites)
09:40:35 <ted> alexei shows comparison of otp vs hw key usability and user efficiency
09:41:54 <ted> also support is lower cost for hw key over time. both have initial learning curve but key is lower there too
09:42:33 <ted> discussion of ensuring user is identified properly when registering key[s]
09:42:43 <ted> ack l
09:43:13 <ted> lisa explains accessibility especially learning and cognitive disabilities concerns
09:43:35 <ted> not needing to remember a password is good, having something you can loose or forget how to use is bad
09:43:45 <tantek> "some people have already dropped out because W3C process was too overwhelming"
09:44:37 <ted> also please be sure you streamline so they only need to log in once, not repeatedly
09:44:48 <ted> think about usability in registration process
09:45:03 <Zakim> vivien, you wanted to ask about accessibility
09:45:33 <ted> vivien think of supporting your mom scenario (we have all been there)
09:45:44 <ted> (dad too)
09:46:16 <ted> talking a non-technical person through the process including purchasing key
09:47:18 <alastairc> q+ to ask about replacing username/passwords completely, rather than adding 2fa.
09:47:43 <ted> affordability is also a concern, $50 is a big expense for some. requiring people to pay for better security will result in those with less financial means losing
09:48:20 <sandro> q?
09:49:50 <Zakim> alastairc, you wanted to ask about replacing username/passwords completely, rather than adding 2fa.
09:50:01 <sandro> q+ to ask about deploying this in practice for w3c site, mandatory?
09:50:05 <ted> shipping pre-registered and training videos help
09:50:42 <ted> alastairc wonders why we are still keeping username+password as a factor
09:51:01 <wseltzer> [I like that u2f is unlinked to identity]
09:51:06 <ted> complimenting gpg indieauth example
09:51:15 <tantek> q?
09:52:03 <tantek> q+ to ask why do I have to use Google's user/pass + 2factor? I'd prefer for Google to just accept my own domain name, and not ask for user/pass+2fa. Let me decide who to auth with.
09:52:11 <sandro> q-
09:53:28 <ted> @@v (from ms) that is why we are looking for a single way (webauthn) to represent various forms of auth such as facial recognition
09:54:33 <ted> goal is to go away from passwords entirely and replace that auth mechanism as well
09:54:40 <wseltzer> s/@@v/Vijay/
09:55:11 <ted> best 2fa model imho is not just 2 methods but: something you know, and something you have
09:55:37 <ted> know could be gpg passphrase
09:55:54 <sandro> but in the end, security can be no better than your account-recovery mechanism, ... and those are hard.
09:56:46 <vivien> q?
09:56:53 <Zakim> tantek, you wanted to ask why do I have to use Google's user/pass + 2factor? I'd prefer for Google to just accept my own domain name, and not ask for user/pass+2fa. Let me decide
09:56:53 <Zakim> ... who to auth with.
09:57:05 <wseltzer> q+
09:57:06 <naomi> naomi has joined #webauthn
09:57:24 <wseltzer> q+ for unlinkability
09:58:01 <alastairc> alastairc has joined #webauthn
09:58:26 <Zakim> wseltzer, you wanted to discuss unlinkability
09:58:39 <ted> wendy likes unlinkable authentication (that doesn't reveal identity)
10:00:17 <wseltzer> rrsagent, make minutes
10:00:17 <RRSAgent> I have made the request to generate http://www.w3.org/2016/09/21-webauthn-minutes.html wseltzer
10:06:10 <nadalin> nadalin has left #webauthn
10:07:13 <Yoshiro> Yoshiro has left #webauthn
10:08:09 <liam> liam has joined #webauthn
10:09:16 <tantek> tantek has joined #webauthn
10:09:43 <liam> liam has left #webauthn
10:13:28 <vivien> vivien has left #webauthn
11:17:02 <tripu> tripu has left #webauthn
11:51:06 <naomi> naomi has joined #webauthn
11:57:39 <naomi> naomi has joined #webauthn
11:58:44 <naomi> naomi has joined #webauthn
12:06:49 <kaorumaeda> kaorumaeda has joined #webauthn
12:18:25 <naomi> naomi has joined #webauthn
12:32:25 <naomi> naomi has joined #webauthn
12:36:21 <naomi> naomi has joined #webauthn
12:53:59 <tantek> tantek has joined #webauthn
13:01:24 <naomi> naomi has joined #webauthn
13:02:21 <kaorumaeda> kaorumaeda has joined #webauthn
13:13:52 <tantek> tantek has joined #webauthn
14:31:09 <kaorumaeda> kaorumaeda has joined #webauthn
14:37:52 <tantek> tantek has joined #webauthn
15:38:11 <kaorumaeda> kaorumaeda has joined #webauthn
15:49:43 <naomi> naomi has joined #webauthn
16:30:52 <naomi> naomi has joined #webauthn
16:54:55 <naomi> naomi has joined #webauthn
21:58:09 <kaorumaeda> kaorumaeda has joined #webauthn
22:28:32 <kaorumaeda> kaorumaeda has joined #webauthn
22:35:26 <kaorumaeda_> kaorumaeda_ has joined #webauthn