Friday, 19 August 2022

FIDO2 / WebAuthn Heuristic discovery of ambient /pre-authorized user(s) at authentication time

UA Credential Safe interogation.

Scenario:

  1. Tri-Bank has 1 or more registered users from this device (My Windows Hello PC "Bad Boy").
  2. There is no active session or ambient user to the RP (sub)domain. (Seeing local/session storage deprecated but all cookies also expired)
  3. I simply cannot see a usernameless login interaction possibility
  4. I will investigate that UPVA is deterministic on multi-user device but the spec is not only non-canonical, it seems to be off in fairy land :-(

WRT: -

Authentication WebAuthn-3 and Authentication WebAuthn-2

Please expand on point .2

The script asks the client for an Authentication Assertion, providing as much information as possible to narrow the choice of acceptable credentials for the user. This can be obtained from the data that was stored locally after registration, or by other means such as prompting the user for a username.

Which spec can we refer to (CTAP-10?) that will enlighten us to what is returned to a GET call with an empty "allowCredentials"?

How can the RP refine the user selection granularirty without a .GET that either identifies a single user or returns new Error("non-deterministic");

Does no one else see this as pivitol?

If we always have to ask for username please just say "We always have to identify username first!"

Otherwise could the user be prompted for we have Ringo, and Paul registered; which one do you want :-(

And yes, I know Paul can't login to Ringo's account without his thumb. I'm alluding to the unacceptable disclosure of Ringo's financial activity to Paul. Probably not a big deal unless it was John :-)

Please explain the FIDO2 versus OAUTH2.0 philisophical diversions pros/cons here!

OAUTH2.0 :- Would you like to continue as dicky@gmail.com? Done! no password, biometric, PIN, blah, blah, blah, pre-authenticated and trusted FIDO2 :- I've got a UPVA that I'll probably have to test you on or a number Authentication methods for a number of users that I'll get you to pick from

Sounds about right???



from FIDO2 / WebAuthn Heuristic discovery of ambient /pre-authorized user(s) at authentication time
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)