Is there a community for webauthn implementation discussion? #1106
Comments
What prevents your implementation from having backup codes? That seems outside the scope of WebAuthn. If you provide the user with a backup code (which is a one-time use code that leads to account reset, like the link in an account password reset email) then your login flow can provide an opportunity to use the backup code to reset their account and remove the lost key. |
While I agree that the WebAuthn spec should not require anything in regards to key loss, I think that a place to discuss implementation details like this is useful to increasing adoption. Nothing prevents me from implementing it. But your assumption tells me you agree that adding a reset code feature is recommended? I am impartial to the idea, and am just open to new ideas from other implementations... maybe someone thought of new implications that WebAuthn introduces (considering the fact that it is much broader than the current "norms" of 2FA which is restricted usually to a TOTP based app on a smartphone in most implementations). ie. UX design around auth will now have to account for "this could be biometrics tied to a device" or "this could be a USB key with NFC on it so it can be used with multiple devices."... So if you activate password-less login and disable password login, and the only device registered is a Yubikey, you can login with any device that accepts input from a Yubikey, but if it's an iPhone TouchID, then that user can only login with one device now... unless we add some way to have the WebAuthn auth from the iPhone allow the user to login on another device through push notifications and native apps on our backend etc. When designing an auth system using WebAuthn... it feels like 99% of people look at it as a drop in replacement for passwords|TOTP|SMS whatever it may be... but after talking to our designers and UX guys after reading into the spec, it's a lot more complicated than that IMO. Again, to bring things back in for a moment: Is there a place where people who are implementing are gathering that I might be able to lurk/participate in? |
|
fyi/fwiw, Brett McDowell notes here https://lists.w3.org/Archives/Public/public-webauthn/2018Oct/0151.html:
"fido-dev" is here: https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev |
|
Please also note that the "device loss" aka "account recovery" aka "key loss" topic(s) are touched upon in issue #931 and the resources it references (which now includes this issue). |
|
Google Group answers main question. 931 covers my initial query. Thanks a ton! |
I would like to discuss with other businesses that are testing / contemplating the UX surrounding webauthn support on their apps.
I have subscribed to the mailing list and here, but it feels like general discussions of this matter are off-topic for this repository.
While I have some eyeballs, one question I plan to ask fellow prospective implementations is how to deal with key loss. ie. with TOTP based 2FA backup codes exist, and many places encourage printing / storing securely these codes. What are people thinking on this topic?
One of our engineers said "encourage them to register all their devices. I doubt someone will lose their macbook, smartphone, home pc all at once" however, this assumes most of our users hold multiple devices that support webauthn.
The text was updated successfully, but these errors were encountered: