As a side note, I will soon start work on updating the Cred Man[0] and Web Authn[1] docs on MDN, to tidy them up and make sure they are high quality.
Adam Powers originally did a huge amount of work contributing these docs (thanks Adam!), but we really ought to give them a good review. I may well be in touch with questions soon ;-) --- Chris Mills MDN content lead & writers' team manager MDN Web Docs Mozilla @chrisdavidmills [0] https://developer.mozilla.org/en-US/docs/Web/API/Credential_Management_API <https://developer.mozilla.org/en-US/docs/Web/API/Credential_Management_API> [1] https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API <https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API> > On Feb 8, 2019, at 9:08 PM, J.C. Jones <j...@mozilla.com> wrote: > > Out of all multi-factor authentication solutions I know of, Web > Authentication is our best technical response to the scourge of phishing. > Tying public-key cryptography into web logins, it dramatically raises the > bar for phishing: From a simple confusable website and replay attack, to an > HTTPS network man-in-the-middle. In practice, Web Authentication forces > adversaries to move to attack account recovery methods, which often have > stronger controls than a standard login. > > The specification is large > <https://www.w3.org/TR/2019/PR-webauthn-20190117/>, with many backward > compatibility pieces that Firefox is likely to never need to implement. The > compatibility pieces are useful for providing the installed base of > existing FIDO or TCG devices a path forward. The core website functions > aren't so complex; Duo's explainer is very good, at https://webauthn.guide/ > . There's also forward-extensibility, leading toward a password-less future > built on digital signatures rather than disclosing shared secrets. > > Web Authentication is now supported by Edge, Firefox, and Chrome. Safari > support is experimental. > > Websites have been slower to pick it up. Major sites I now of: For the > United States, https://login.gov/ uses it -- so as an example applying for > the Global Entry traveler program will exercise a Web Authentication > security key, if you choose. Dropbox > <https://blogs.dropbox.com/tech/2018/05/introducing-webauthn-support-for-secure-dropbox-sign-in/> > has also supported Web Authentication since Firefox 60 shipped. > > Most other major properties have indicated they'll support Web > Authentication sooner or later. Try it out at at https://webauthn.io/, > https://webauthndemo.appspot.com/, https://demo.yubico.com/webauthn/, or > even the lowly https://webauthn.bin.coffee/. > > I encourage Mozilla to support advancement of Web Authentication to a > Recommendation, and its end-goal of a phishing-free future. (Or at least, a > much-reduced prevalence. Really, I just wanted to write and imagine > 'phishing-free.' Can you blame me?) > > Cheers, > J.C. > [n.b., I'm an editor on this spec...] > > > > On Thu, Jan 31, 2019 at 5:58 PM L. David Baron <dba...@dbaron.org> wrote: > >> A W3C Proposed Recommendation is available for the membership of >> W3C (including Mozilla) to vote on, before it proceeds to the final >> stage of being a W3C Recomendation: >> >> Web Authentication >> https://www.w3.org/TR/webauthn/ >> Deadline for responses: Thursday, February 14, 2019 >> >> If there are comments you think Mozilla should send as part of the >> review, please say so in this thread. Ideally, such comments should >> link to github issues filed against the specification. (I'd note, >> however, that there have been previous opportunities to make >> comments, so it's somewhat bad form to bring up fundamental issues >> for the first time at this stage.) >> >> Given that we implement this specification, one of the editors works >> for us, and have been supporting this work for a while, I'm assuming >> we should support this advancement as well... >> >> -David >> >> -- >> 𝄞 L. David Baron http://dbaron.org/ 𝄂 >> 𝄢 Mozilla https://www.mozilla.org/ 𝄂 >> Before I built a wall I'd ask to know >> What I was walling in or walling out, >> And to whom I was like to give offense. >> - Robert Frost, Mending Wall (1914) >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
