[webauthn] Authenticator disconnect event from David Sanders via GitHub on 2018-10-27 (public-webauthn@w3.org from October 2018)

From: David Sanders via GitHub <sysbot+gh@w3.org>
Date: Sat, 27 Oct 2018 19:31:55 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-374680398-1540668714-sysbot+gh@w3.org>

dsanders11 has just created a new issue for https://github.com/w3c/webauthn:

== Authenticator disconnect event ==
I think it would be useful to developers if an authenticator disconnect event was part of this spec. It would allow UXs such as log out on disconnect. This is useful to help prevent users from sharing physical keys between devices, as removing the key would log you out. It also lowers the attack potential where someone has brief physical access to a key and can walk away with a signed-in session. Obviously both can be thwarted by a technically knowledgable attacker who disables this part of the JavaScript client code, but it prevents casual abuse.

This is aimed at roaming authenticators, since they're able to be disconnected. While the spec seems to encourage the use of platform authenticators whenever possible, I think there's a strong use-case for shared devices which will require roaming authenticators. Employees at a company which share a computer, for example, might be required to log in at the start of their shift with a roaming authenticator personal to them. By making authenticator disconnect cause log out it can help prevent forgetting to log out and walking away from the computer. In cases where this is of utmost importance it can even be physically enforced by something simple like having the roaming authenticator attached to a retractable cable hooked to the employee's belt.

So, long winded preamble over with, I'm suggesting an API which looks like

```javascript
document.addEventListener('authenticatordisconnect', function (event) {
// Log out user
})
```

The event may provide information to differentiate authenticators to allow a use-case where multiple are used, such as enforcing a [two-man rule](https://en.wikipedia.org/wiki/Two-man_rule#Cryptographic_material).

I'm going to err on the side of caution as far as the security aspect of this goes and suggest the event would only fire for authenticators that have successfully performed `navigator.credentials.get(...)` on the current page, so that information regarding authenticators isn't leaked. If this isn't a security concern, it could be useful to have a corresponding `authenticatorconnect` event to aid designing UX flows.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1107 using your GitHub account

Received on Saturday, 27 October 2018 19:31:56 UTC