See also: IRC log
<tantek> How many Nickservs in the channel?
<vivien> Another
alexei gives demo on u2f@github, shows various makes of hw keys and explains the communication methods different ones support (usb, nfc, bt)
rob demonstrates ms windows built in features for pin or facial recognition
<Zakim> aaronpk, you wanted to demo!
authenticator from phone to windows via bt
webauthn meant to provide a uniform api to be able to speak to this multitude of different types of devices
alexei shows yubikey registration on dropbox, mentions how this is usable by public sites and enteprises
<sandro> wondering how I search on Amazon for the right kind of device....
i think search was on u2f key (to be non-manufacturer specific)
aaron shows indieauth which is a service to abstract out and permit user to choose oauth or other services the user prefers
eg using github, fb, twitter or other service
federated login but not choosing one explicitly as many sites do "log in with facebook"
<Zakim> liam, you wanted to ask what happens when you lose the d*mn things or don't have one with you, or when they are stolen
liam points out two problems - loosing key and someone finding/stealing and then using key
alexei responds that use case is exactly why they recommend using these keys as a second and not sole factor
<Zakim> alastairc, you wanted to ask about what happens when a user looses the hardware key?
how do you support users that have lost or break their key?
suggestion is that people keep a spare and have both registered (enteprise example but applicable to websites)
alexei shows comparison of otp vs hw key usability and user efficiency
also support is lower cost for hw key over time. both have initial learning curve but key is lower there too
discussion of ensuring user is identified properly when registering key[s]
lisa explains accessibility especially learning and cognitive disabilities concerns
not needing to remember a password is good, having something you can loose or forget how to use is bad
<tantek> "some people have already dropped out because W3C process was too overwhelming"
also please be sure you streamline so they only need to log in once, not repeatedly
think about usability in registration process
<Zakim> vivien, you wanted to ask about accessibility
vivien think of supporting your mom scenario (we have all been there)
(dad too)
talking a non-technical person through the process including purchasing key
affordability is also a concern, $50 is a big expense for some. requiring people to pay for better security will result in those with less financial means losing
<Zakim> alastairc, you wanted to ask about replacing username/passwords completely, rather than adding 2fa.
shipping pre-registered and training videos help
alastairc wonders why we are still keeping username+password as a factor
<wseltzer> [I like that u2f is unlinked to identity]
complimenting gpg indieauth example
Vijay (from ms) that is why we are looking for a single way (webauthn) to represent various forms of auth such as facial recognition
goal is to go away from passwords entirely and replace that auth mechanism as well
best 2fa model imho is not just 2 methods but: something you know, and something you have
know could be gpg passphrase
<sandro> but in the end, security can be no better than your account-recovery mechanism, ... and those are hard.
<Zakim> tantek, you wanted to ask why do I have to use Google's user/pass + 2factor? I'd prefer for Google to just accept my own domain name, and not ask for user/pass+2fa. Let me decide
<Zakim> wseltzer, you wanted to discuss unlinkability
wendy likes unlinkable authentication (that doesn't reveal identity)
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Succeeded: s/democcccccevieuitgtvuthllhnurbrnvvgccbkhcijvihjg// Succeeded: s/@@v/Vijay/ No ScribeNick specified. Guessing ScribeNick: ted Inferring Scribes: ted WARNING: No "Topic:" lines found. WARNING: No "Present: ... " found! Possibly Present: Jean-Gui RobTrace Tomoyuki Yoshiro aaronpk alastairc alexei-goog auth liam mikepie nadalin naomi sandro tantek teddink to tripu vivien who with wseltzer You can indicate people for the Present list like this: <dbooth> Present: dbooth jonathan mary <dbooth> Present+ amy WARNING: No meeting chair found! You should specify the meeting chair like this: <dbooth> Chair: dbooth Got date from IRC log name: 21 Sep 2016 Guessing minutes URL: http://www.w3.org/2016/09/21-webauthn-minutes.html People with action items: WARNING: Input appears to use implicit continuation lines. You may need the "-implicitContinuations" option. WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]