[webauthn] Pre-Registration Discovery from Brad Hill via GitHub on 2017-07-07 (public-webauthn@w3.org from July 2017)

From: Brad Hill via GitHub <sysbot+gh@w3.org>
Date: Fri, 07 Jul 2017 00:50:33 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-241126812-1499388632-sysbot+gh@w3.org>

hillbrad has just created a new issue for https://github.com/w3c/webauthn:

== Pre-Registration Discovery ==
Greetings, WebAuthN folks.

Facebook has now had U2F available as a second-factor authentication technology for not quite six months. I'd like to share some challenges we have and are encountering with our deployment in hopes that these might be addressed by the WebAuthN work.

Specifically, I want to raise the issue that the lack of pre-registration discovery presents a major obstacle to both reach and usability.

In terms of reach, only a small number of people actually have U2F devices. We would like to be able to enroll as many active users of these devices as possible, and expect that most people who are both U2F and Facebook users would like to use their devices with us. And yet, many people who use U2F don't know that Facebook supports it. If this is the case for the highly technical segment of people using U2F today at one of the world's most well-known websites, imagine how difficult this will be in the tail of services that may support Web AuthN.

It would be very helpful if, the first time a Web AuthN capability is used in a user agent, the individual was presented with the option to advertise that they have and use this capability, so that other services that support it can promote it to the user or prompt them to set it up.

A closely related problem is that giving good instructions to an individual registering their authenticator is very difficult with no information about how that authenticator is exposed or what ceremony is necessary to use it. Facebook currently generically instructs people to insert their authenticator into the USB port of their computer, but those instructions are flatly wrong for a BTLE attached device, or a U2F capability integrated into the chipset of their device but exposed over the USB bus. Some of this information appears to become available as selectors in the WebAuthN API after an authenticator has already been registered, but not at the most critical time - when the person is first setting it up.

Again, it would be nice if there was an opt-in possible to let people advertise that they have an authenticator, and its basic capabilities, so that services which support it can present an appropriate registration experience.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/503 using your GitHub account

Received on Friday, 7 July 2017 00:50:39 UTC