Meeting minutes
Issue 98: UX behavior when there are no matching credentials
https://
Stephen: In M94, notification rather than silence when no matching credentials.
Jonathan: So the user will receive a message that someone is trying to authenticate them?
… how would a user understand this merchant?
… e.g., messages like "use your security key" are likely to confuse the user.
[Stephen shows a screen shot of notification message to the user that way it will look in M94]
Jonathan: How does this address privacy concern?
Stephen: It prevents a timing attack.
… the attack goes like like:
… you call SPC with credentials and one of two things happens, either I have the authenticator (and SPC UI will show up) or I don't have authenticator and we would immediately exit.
… so the time to resolve the promise reveals information about the user environment
… this is how WebAuthn handles this attack.
Jonathan: This forces the use of cookies.
Stephen: I agree with you that that's a common implication.
Jonathan: Could we get consent at enrollment?
Stephen: That might work for webAuthn but we decouple ceremony in SPC and let more people initiate authentication.
Jonathan: I think it would be worth exploring more options.
Ian: What about varying the response time for silent promise fail?
Stephen: Yes, we could also "wait some time"
… that has the down side of the user waiting around.
… for now we've aligned with WebAuthn behavior.
Jean-Carlo: Can the user interact with the page while waiting?
… probably not if you can monitor that the user is doing other actions during this time (which may suggest dialog is not showing)
… I think this approach is ok (not great) because it is at least clear to the user what's happening.
Stephen: When promise fails, it's a generic failure to not reveal user environment info.
Question: can SPC authentication be called from a cross-origin iframe with proper permissions?
Stephen: Yes. Nothing has changed re: using this in an iframe.
Gerhard comments
Ian: Thank you for your comments on GitHub. Any thorny ones to discuss?
Gerhard: Will there be a screen during enrollment?
Gerhard: Can you upgrade an SPC credential to use it for other auth?
… can you upgrade a WebAuth credential later to payment?
Stephen:
- Yes, you can use an SPC credential with other WebAuthn use cases (e.g., login)
- Yes, our intention is to NOT show enrollment UX other than the WebAuthn UX
… we think that the WebAuthn UX is good enough re: establishing a relationship, and we prefer that the RP has the ability to handle communication as they see fit (e.g., to fulfill GDPR requirements, etc.)
… but I realize there's a difference of opinion here.
Gerhard: We need to be clearer in the spec about these points.
Ian: I think we can at most say "This spec does not preclude other uses of the credential."
Gerhard: Given a webauthn credential, how do I turn it into a payment credential?
Stephen: We need to broach this with the WebAuthn working group. We may get to a place where there is no extension for payments, or we may not.
… I think you can't update a credential; I think it's a replace operation.
Rolf: Some things are dynamic (don't affect credential). I think that for payment this might be how it works. "For a payment operation" use the credential this way.
… the operation determines behavior with the same credential.
Gerhard: Is the extension adding value?
… why not take it out?
Rolf: I think I agree.
… the credential is generic and might be used in various contexts.
… the RP will see the fact of how it was used in the assertion
… and if the RP was not prepared for a particular usage, it can reject the assertion.
Stephen: I agree. But I suspect that the WebAuthn will reject this.
Ian: We will chat with the WebAuthn WG mid-October
Stephen: I think we will launch with the extension but can revisit it
Gerhard: +1 to Rolf's comments.
Stephen: We may need it for caching but hope to be able to get rid of it.
Any implementation updates?
Stephen: We continue to update the implementation to align with the spec.
… if the spec doesn't say what you think it is right, let us know in an issue.
Next call
23 August