Apple is going to change the policy in Safari regarding the cookies; learning about it; potential problems Safari will use only session cookies Direct impact – domain name such as Safari, future browsers having that name storing the information common domain cookie would be a resolution of the issue they have to go to the domain where the cookie is used and ask acting as if it’s happening right now; other browser vendors Discovery case Research has to be made Web off is going to impact all of this
(Discussion with Leif:)
Impact that that might have?
Interact with your main keys
Q: Would the change in Safari will it have consequences? Will it happen?
A: you can’t set global cookies; you can’t have global cookies in an iFrame; any kind of SSO where you are using cookies, redirecting to the IdP; trick ppl to accepting global cookie; not cookies we tend to use for IdP;
Q: They could just reuse it?
A: It’s only once per device; You need to set global cookies from the main window.
A: In many browsers exposed as an alternative setting; So, it has some flow implications that will disable certain optimizations in the UI
Q: Is there a WebAuth dimension to this?
Start registering tokens as an SP, collect just name and email. This would reduce federation.
Q: How do they know this is the one?
A: You tell it which key handle you want to use
Main difference between WebAuth and FIDO U2F is that WebAuth has a PIN capability.
CTAP is a FIDO standard, runs over BTLE and 802.3x;
There are various token types; token is an abstract thing; default token or you might do a physical token; based on the level of the token; it’s supposed to be burned in the device
distinguish between token A and B; Need to do attestation, but this could be abused for user tracking. I want the user to use my token –> political fighting in the browser community for attestation
Web Auth is designed to target persistent identifier; 2 parties completely unlinkable Chrome - mitigating that stuff with attestation You get a high level of unlinkability, -> Problem with recovery; speculating what a recovery mode might look like Facebook - backchannel signaling; Do people perceive the level of recovery a problem? You’re a relying party - passwords are a liability; data that can get stolen; assurance level that if a relying party you want to stop having passwords; Account recovery is an issue, there is no Lol Account recovery IdP Email recovery via 2 accounts; having a recovery account with multiple tokens; if you keep more tokens at one place like amazon, you can recover your account on another website Both for soft tokens and ubi tokens, you will require more than 2; we want to know how many tokens we have registered You have two, you cannot do account recovery without 2 tokens soft tokens- cannot be seen; soft tokens will be connected with backend a lot of people enable physical tokens Convenience of usability in exchange for loss of privacy Credible path to not being tracked at all - user tracking in…is almost impossible Cannot do that without control over the client - only Chrome can do that today
Q: What technology would I have to add to have the same functionality?
A: ZKPs (Zero Knowledge Proofs) public key handle per user; keep track of public key handles
Q: Does that work in China? A: there are always legitimate worries about supply chains; supply chain security matters.
Good news of WebAuth are that user tracking is difficult if WebAuth is properly implemented; trackable through passwords/email addresses
Q: why would you keep Facebook and Google Sign-up?
A: Possibly left hand not knowing what right one is doing, different motivations in a large house. The problem of phishing and security breaches; most people will use Google Authenticator; most used OTPs are Google’s Authenticator extremely easy to hijack using OTPs today