(Rainer Hörbe)
(Discussion with Leif:)
Impact that that might have?
Interact with your main keys
Q: Would the change in Safari will it have consequences? Will it happen?
A: you can’t set global cookies; you can’t have global cookies in an iFrame; any kind of SSO where you are using cookies, redirecting to the IdP; trick ppl to accepting global cookie; not cookies we tend to use for IdP;
Q: They could just reuse it?
A: It’s only once per device; You need to set global cookies from the main window.
A: In many browsers exposed as an alternative setting; So, it has some flow implications that will disable certain optimizations in the UI
Q: Is there a WebAuth dimension to this?
A: No
Start registering tokens as an SP, collect just name and email. This would reduce federation.
WebAuth is a W3 specification (https://www.w3.org/TR/webauthn/) in the frontend, JavaScript interface to your authentication platform 2-way - really makes the browser frontend into a smartcard pile; every relying party that asks for Auth; elliptical key pad if your platform is a regular browser, you generate an elliptical key; keeps that key as a reference to you Works with YubiKey etc., works with keys encrypted per relying party
Q: How do they know this is the one?
A: You tell it which key handle you want to use
FIDO U2F
Main difference between WebAuth and FIDO U2F is that WebAuth has a PIN capability.
CTAP is a FIDO standard, runs over BTLE and 802.3x;
There are various token types; token is an abstract thing; default token or you might do a physical token; based on the level of the token; it’s supposed to be burned in the device
distinguish between token A and B; Need to do attestation, but this could be abused for user tracking. I want the user to use my token –> political fighting in the browser community for attestation
Web Auth is designed to target persistent identifier; 2 parties completely unlinkable
Chrome - mitigating that stuff with attestation
You get a high level of unlinkability, -> Problem with recovery; speculating what a recovery mode might look like
Facebook - backchannel signaling;
Do people perceive the level of recovery a problem?
You’re a relying party - passwords are a liability; data that can get stolen; assurance level that
if a relying party you want to stop having passwords;
Account recovery is an issue, there is no Lol
Account recovery IdP
Email recovery via 2 accounts; having a recovery account with multiple tokens;
if you keep more tokens at one place like amazon, you can recover your account on another website
Both for soft tokens and ubi tokens, you will require more than 2; we want to know how many tokens we have registered
You have two, you cannot do account recovery without 2 tokens
soft tokens- cannot be seen;
soft tokens will be connected with backend
a lot of people enable physical tokens
Convenience of usability in exchange for loss of privacy
Credible path to not being tracked at all - user tracking in…is almost impossible
Cannot do that without control over the client - only Chrome can do that today
Q: What technology would I have to add to have the same functionality?
A: ZKPs (Zero Knowledge Proofs) public key handle per user; keep track of public key handles
Q: Does that work in China? A: there are always legitimate worries about supply chains; supply chain security matters.
Good news of WebAuth are that user tracking is difficult if WebAuth is properly implemented; trackable through passwords/email addresses
Q: why would you keep Facebook and Google Sign-up?
A: Possibly left hand not knowing what right one is doing, different motivations in a large house. The problem of phishing and security breaches; most people will use Google Authenticator; most used OTPs are Google’s Authenticator extremely easy to hijack using OTPs today
