Webauthn: Is there a community for webauthn implementation discussion?

Created on 25 Oct 2018  路  5Comments  路  Source: w3c/webauthn

I would like to discuss with other businesses that are testing / contemplating the UX surrounding webauthn support on their apps.

I have subscribed to the mailing list and here, but it feels like general discussions of this matter are off-topic for this repository.

While I have some eyeballs, one question I plan to ask fellow prospective implementations is how to deal with key loss. ie. with TOTP based 2FA backup codes exist, and many places encourage printing / storing securely these codes. What are people thinking on this topic?

One of our engineers said "encourage them to register all their devices. I doubt someone will lose their macbook, smartphone, home pc all at once" however, this assumes most of our users hold multiple devices that support webauthn.

Most helpful comment

Please also note that the "device loss" aka "account recovery" aka "key loss" topic(s) are touched upon in issue #931 and the resources it references (which now includes this issue).

All 5 comments

While I have some eyeballs, one question I plan to ask fellow prospective implementations is how to deal with key loss. ie. with TOTP based 2FA backup codes exist, and many places encourage printing / storing securely these codes. What are people thinking on this topic?

What prevents your implementation from having backup codes? That seems outside the scope of WebAuthn. If you provide the user with a backup code (which is a one-time use code that leads to account reset, like the link in an account password reset email) then your login flow can provide an opportunity to use the backup code to reset their account and remove the lost key.

That seems outside the scope of WebAuthn.

While I agree that the WebAuthn spec should not require anything in regards to key loss, I think that a place to discuss implementation details like this is useful to increasing adoption.

Nothing prevents me from implementing it. But your assumption tells me you agree that adding a reset code feature is recommended? I am impartial to the idea, and am just open to new ideas from other implementations... maybe someone thought of new implications that WebAuthn introduces (considering the fact that it is much broader than the current "norms" of 2FA which is restricted usually to a TOTP based app on a smartphone in most implementations).

ie. UX design around auth will now have to account for "this could be biometrics tied to a device" or "this could be a USB key with NFC on it so it can be used with multiple devices."... So if you activate password-less login and disable password login, and the only device registered is a Yubikey, you can login with any device that accepts input from a Yubikey, but if it's an iPhone TouchID, then that user can only login with one device now... unless we add some way to have the WebAuthn auth from the iPhone allow the user to login on another device through push notifications and native apps on our backend etc.

When designing an auth system using WebAuthn... it feels like 99% of people look at it as a drop in replacement for passwords|TOTP|SMS whatever it may be... but after talking to our designers and UX guys after reading into the spec, it's a lot more complicated than that IMO.

Again, to bring things back in for a moment: Is there a place where people who are implementing are gathering that I might be able to lurk/participate in?

fyi/fwiw, Brett McDowell notes here https://lists.w3.org/Archives/Public/public-webauthn/2018Oct/0151.html:

There is a public FIDO developer forum (Google Group) that would be
inclusive of WebAuthn implementation topics. You can sign-up for that
group (and a few other public community services) here:

https://fidoalliance.org/participate/community/ [points to fido-dev among other community resources]

"fido-dev" is here: https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev

Please also note that the "device loss" aka "account recovery" aka "key loss" topic(s) are touched upon in issue #931 and the resources it references (which now includes this issue).

Google Group answers main question.

931 covers my initial query.

Thanks a ton!

Was this page helpful?
0 / 5 - 0 ratings