TPAC 2FA Breakout

21 Sep 2016

See also: IRC log




<tantek> How many Nickservs in the channel?

<vivien> Another

alexei gives demo on u2f@github, shows various makes of hw keys and explains the communication methods different ones support (usb, nfc, bt)

rob demonstrates ms windows built in features for pin or facial recognition

<Zakim> aaronpk, you wanted to demo!

authenticator from phone to windows via bt

webauthn meant to provide a uniform api to be able to speak to this multitude of different types of devices

alexei shows yubikey registration on dropbox, mentions how this is usable by public sites and enteprises

<sandro> wondering how I search on Amazon for the right kind of device....

i think search was on u2f key (to be non-manufacturer specific)

aaron shows indieauth which is a service to abstract out and permit user to choose oauth or other services the user prefers

eg using github, fb, twitter or other service

federated login but not choosing one explicitly as many sites do "log in with facebook"

<Zakim> liam, you wanted to ask what happens when you lose the d*mn things or don't have one with you, or when they are stolen

liam points out two problems - loosing key and someone finding/stealing and then using key

alexei responds that use case is exactly why they recommend using these keys as a second and not sole factor

<Zakim> alastairc, you wanted to ask about what happens when a user looses the hardware key?

how do you support users that have lost or break their key?

suggestion is that people keep a spare and have both registered (enteprise example but applicable to websites)

alexei shows comparison of otp vs hw key usability and user efficiency

also support is lower cost for hw key over time. both have initial learning curve but key is lower there too

discussion of ensuring user is identified properly when registering key[s]

lisa explains accessibility especially learning and cognitive disabilities concerns

not needing to remember a password is good, having something you can loose or forget how to use is bad

<tantek> "some people have already dropped out because W3C process was too overwhelming"

also please be sure you streamline so they only need to log in once, not repeatedly

think about usability in registration process

<Zakim> vivien, you wanted to ask about accessibility

vivien think of supporting your mom scenario (we have all been there)

(dad too)

talking a non-technical person through the process including purchasing key

affordability is also a concern, $50 is a big expense for some. requiring people to pay for better security will result in those with less financial means losing

<Zakim> alastairc, you wanted to ask about replacing username/passwords completely, rather than adding 2fa.

shipping pre-registered and training videos help

alastairc wonders why we are still keeping username+password as a factor

<wseltzer> [I like that u2f is unlinked to identity]

complimenting gpg indieauth example

Vijay (from ms) that is why we are looking for a single way (webauthn) to represent various forms of auth such as facial recognition

goal is to go away from passwords entirely and replace that auth mechanism as well

best 2fa model imho is not just 2 methods but: something you know, and something you have

know could be gpg passphrase

<sandro> but in the end, security can be no better than your account-recovery mechanism, ... and those are hard.

<Zakim> tantek, you wanted to ask why do I have to use Google's user/pass + 2factor? I'd prefer for Google to just accept my own domain name, and not ask for user/pass+2fa. Let me decide

<Zakim> wseltzer, you wanted to discuss unlinkability

wendy likes unlinkable authentication (that doesn't reveal identity)

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/09/21 10:00:22 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Succeeded: s/democcccccevieuitgtvuthllhnurbrnvvgccbkhcijvihjg//
Succeeded: s/@@v/Vijay/
No ScribeNick specified.  Guessing ScribeNick: ted
Inferring Scribes: ted

WARNING: No "Topic:" lines found.

WARNING: No "Present: ... " found!
Possibly Present: Jean-Gui RobTrace Tomoyuki Yoshiro aaronpk alastairc alexei-goog auth liam mikepie nadalin naomi sandro tantek teddink to tripu vivien who with wseltzer
You can indicate people for the Present list like this:
        <dbooth> Present: dbooth jonathan mary
        <dbooth> Present+ amy

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Got date from IRC log name: 21 Sep 2016
Guessing minutes URL: http://www.w3.org/2016/09/21-webauthn-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

[End of scribe.perl diagnostic output]