Re: W3C Proposed Recommendation: Web Authentication

[Chris Mills]

As a side note, I will soon start work on updating the Cred Man[0] and Web 
Authn[1] docs on MDN, to tidy them up and make sure they are high quality.

Adam Powers originally did a huge amount of work contributing these docs 
(thanks Adam!), but we really ought to give them a good review.

I may well be in touch with questions soon ;-)

---

Chris Mills
MDN content lead & writers' team manager
MDN Web Docs
Mozilla
@chrisdavidmills

[0] https://developer.mozilla.org/en-US/docs/Web/API/Credential_Management_API 

[1] https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API 
 

> On Feb 8, 2019, at 9:08 PM, J.C. Jones  wrote:
> 
> Out of all multi-factor authentication solutions I know of, Web
> Authentication is our best technical response to the scourge of phishing.
> Tying public-key cryptography into web logins, it dramatically raises the
> bar for phishing: From a simple confusable website and replay attack, to an
> HTTPS network man-in-the-middle. In practice, Web Authentication forces
> adversaries to move to attack account recovery methods, which often have
> stronger controls than a standard login.
> 
> The specification is large
> , with many backward
> compatibility pieces that Firefox is likely to never need to implement. The
> compatibility pieces are useful for providing the installed base of
> existing FIDO or TCG devices a path forward. The core website functions
> aren't so complex; Duo's explainer is very good, at https://webauthn.guide/
> . There's also forward-extensibility, leading toward a password-less future
> built on digital signatures rather than disclosing shared secrets.
> 
> Web Authentication is now supported by Edge, Firefox, and Chrome. Safari
> support is experimental.
> 
> Websites have been slower to pick it up. Major sites I now of: For the
> United States, https://login.gov/ uses it -- so as an example applying for
> the Global Entry traveler program will exercise a Web Authentication
> security key, if you choose. Dropbox
> 
> has also supported Web Authentication since Firefox 60 shipped.
> 
> Most other major properties have indicated they'll support Web
> Authentication sooner or later. Try it out at at https://webauthn.io/,
> https://webauthndemo.appspot.com/, https://demo.yubico.com/webauthn/, or
> even the lowly https://webauthn.bin.coffee/.
> 
> I encourage Mozilla to support advancement of Web Authentication to a
> Recommendation, and its end-goal of a phishing-free future. (Or at least, a
> much-reduced prevalence.  Really, I just wanted to write and imagine
> 'phishing-free.' Can you blame me?)
> 
> Cheers,
> J.C.
> [n.b., I'm an editor on this spec...]
> 
> 
> 
> On Thu, Jan 31, 2019 at 5:58 PM L. David Baron  wrote:
> 
>> A W3C Proposed Recommendation is available for the membership of
>> W3C (including Mozilla) to vote on, before it proceeds to the final
>> stage of being a W3C Recomendation:
>> 
>>  Web Authentication
>>  https://www.w3.org/TR/webauthn/
>>  Deadline for responses: Thursday, February 14, 2019
>> 
>> If there are comments you think Mozilla should send as part of the
>> review, please say so in this thread.  Ideally, such comments should
>> link to github issues filed against the specification.  (I'd note,
>> however, that there have been previous opportunities to make
>> comments, so it's somewhat bad form to bring up fundamental issues
>> for the first time at this stage.)
>> 
>> Given that we implement this specification, one of the editors works
>> for us, and have been supporting this work for a while, I'm assuming
>> we should support this advancement as well...
>> 
>> -David
>> 
>> --
>> 턞   L. David Baron http://dbaron.org/   턂
>> 턢   Mozilla  https://www.mozilla.org/   턂
>> Before I built a wall I'd ask to know
>> What I was walling in or walling out,
>> And to whom I was like to give offense.
>>   - Robert Frost, Mending Wall (1914)
>> ___
>> dev-platform mailing list
>> dev-platform@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-platform
>> 
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: W3C Proposed Recommendation: Web Authentication

[Joseph Lorenzo Hall]

+1 and thank you for all the hard work on the spec and landing so much in
FF, JCJ!!!

On Fri, Feb 8, 2019 at 4:09 PM J.C. Jones  wrote:

> Out of all multi-factor authentication solutions I know of, Web
> Authentication is our best technical response to the scourge of phishing.
> Tying public-key cryptography into web logins, it dramatically raises the
> bar for phishing: From a simple confusable website and replay attack, to an
> HTTPS network man-in-the-middle. In practice, Web Authentication forces
> adversaries to move to attack account recovery methods, which often have
> stronger controls than a standard login.
>
> The specification is large
> , with many backward
> compatibility pieces that Firefox is likely to never need to implement. The
> compatibility pieces are useful for providing the installed base of
> existing FIDO or TCG devices a path forward. The core website functions
> aren't so complex; Duo's explainer is very good, at
> https://webauthn.guide/
> . There's also forward-extensibility, leading toward a password-less future
> built on digital signatures rather than disclosing shared secrets.
>
> Web Authentication is now supported by Edge, Firefox, and Chrome. Safari
> support is experimental.
>
> Websites have been slower to pick it up. Major sites I now of: For the
> United States, https://login.gov/ uses it -- so as an example applying for
> the Global Entry traveler program will exercise a Web Authentication
> security key, if you choose. Dropbox
> <
> https://blogs.dropbox.com/tech/2018/05/introducing-webauthn-support-for-secure-dropbox-sign-in/
> >
> has also supported Web Authentication since Firefox 60 shipped.
>
> Most other major properties have indicated they'll support Web
> Authentication sooner or later. Try it out at at https://webauthn.io/,
> https://webauthndemo.appspot.com/, https://demo.yubico.com/webauthn/, or
> even the lowly https://webauthn.bin.coffee/.
>
> I encourage Mozilla to support advancement of Web Authentication to a
> Recommendation, and its end-goal of a phishing-free future. (Or at least, a
> much-reduced prevalence.  Really, I just wanted to write and imagine
> 'phishing-free.' Can you blame me?)
>
> Cheers,
> J.C.
> [n.b., I'm an editor on this spec...]
>
>
>
> On Thu, Jan 31, 2019 at 5:58 PM L. David Baron  wrote:
>
> > A W3C Proposed Recommendation is available for the membership of
> > W3C (including Mozilla) to vote on, before it proceeds to the final
> > stage of being a W3C Recomendation:
> >
> >   Web Authentication
> >   https://www.w3.org/TR/webauthn/
> >   Deadline for responses: Thursday, February 14, 2019
> >
> > If there are comments you think Mozilla should send as part of the
> > review, please say so in this thread.  Ideally, such comments should
> > link to github issues filed against the specification.  (I'd note,
> > however, that there have been previous opportunities to make
> > comments, so it's somewhat bad form to bring up fundamental issues
> > for the first time at this stage.)
> >
> > Given that we implement this specification, one of the editors works
> > for us, and have been supporting this work for a while, I'm assuming
> > we should support this advancement as well...
> >
> > -David
> >
> > --
> > 턞   L. David Baron http://dbaron.org/   턂
> > 턢   Mozilla  https://www.mozilla.org/   턂
> >  Before I built a wall I'd ask to know
> >  What I was walling in or walling out,
> >  And to whom I was like to give offense.
> >- Robert Frost, Mending Wall (1914)
> > ___
> > dev-platform mailing list
> > dev-platform@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
> >
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>


-- 
Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
1401 K ST NW STE 200, Washington DC 20005-3497
e: j...@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

Don't miss out! CDT's Tech Prom is April 10, 2019, at The
Anthem. Please join us: https://cdt.org/annual-dinner/
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: W3C Proposed Recommendation: Web Authentication

[J.C. Jones]

Out of all multi-factor authentication solutions I know of, Web
Authentication is our best technical response to the scourge of phishing.
Tying public-key cryptography into web logins, it dramatically raises the
bar for phishing: From a simple confusable website and replay attack, to an
HTTPS network man-in-the-middle. In practice, Web Authentication forces
adversaries to move to attack account recovery methods, which often have
stronger controls than a standard login.

The specification is large
, with many backward
compatibility pieces that Firefox is likely to never need to implement. The
compatibility pieces are useful for providing the installed base of
existing FIDO or TCG devices a path forward. The core website functions
aren't so complex; Duo's explainer is very good, at https://webauthn.guide/
. There's also forward-extensibility, leading toward a password-less future
built on digital signatures rather than disclosing shared secrets.

Web Authentication is now supported by Edge, Firefox, and Chrome. Safari
support is experimental.

Websites have been slower to pick it up. Major sites I now of: For the
United States, https://login.gov/ uses it -- so as an example applying for
the Global Entry traveler program will exercise a Web Authentication
security key, if you choose. Dropbox

has also supported Web Authentication since Firefox 60 shipped.

Most other major properties have indicated they'll support Web
Authentication sooner or later. Try it out at at https://webauthn.io/,
https://webauthndemo.appspot.com/, https://demo.yubico.com/webauthn/, or
even the lowly https://webauthn.bin.coffee/.

I encourage Mozilla to support advancement of Web Authentication to a
Recommendation, and its end-goal of a phishing-free future. (Or at least, a
much-reduced prevalence.  Really, I just wanted to write and imagine
'phishing-free.' Can you blame me?)

Cheers,
J.C.
[n.b., I'm an editor on this spec...]



On Thu, Jan 31, 2019 at 5:58 PM L. David Baron  wrote:

> A W3C Proposed Recommendation is available for the membership of
> W3C (including Mozilla) to vote on, before it proceeds to the final
> stage of being a W3C Recomendation:
>
>   Web Authentication
>   https://www.w3.org/TR/webauthn/
>   Deadline for responses: Thursday, February 14, 2019
>
> If there are comments you think Mozilla should send as part of the
> review, please say so in this thread.  Ideally, such comments should
> link to github issues filed against the specification.  (I'd note,
> however, that there have been previous opportunities to make
> comments, so it's somewhat bad form to bring up fundamental issues
> for the first time at this stage.)
>
> Given that we implement this specification, one of the editors works
> for us, and have been supporting this work for a while, I'm assuming
> we should support this advancement as well...
>
> -David
>
> --
> 턞   L. David Baron http://dbaron.org/   턂
> 턢   Mozilla  https://www.mozilla.org/   턂
>  Before I built a wall I'd ask to know
>  What I was walling in or walling out,
>  And to whom I was like to give offense.
>- Robert Frost, Mending Wall (1914)
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

W3C Proposed Recommendation: Web Authentication

[L. David Baron]

A W3C Proposed Recommendation is available for the membership of
W3C (including Mozilla) to vote on, before it proceeds to the final
stage of being a W3C Recomendation:

  Web Authentication
  https://www.w3.org/TR/webauthn/
  Deadline for responses: Thursday, February 14, 2019

If there are comments you think Mozilla should send as part of the
review, please say so in this thread.  Ideally, such comments should
link to github issues filed against the specification.  (I'd note,
however, that there have been previous opportunities to make
comments, so it's somewhat bad form to bring up fundamental issues
for the first time at this stage.)

Given that we implement this specification, one of the editors works
for us, and have been supporting this work for a while, I'm assuming
we should support this advancement as well...

-David

-- 
턞   L. David Baron http://dbaron.org/   턂
턢   Mozilla  https://www.mozilla.org/   턂
 Before I built a wall I'd ask to know
 What I was walling in or walling out,
 And to whom I was like to give offense.
   - Robert Frost, Mending Wall (1914)


signature.asc
Description: PGP signature
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform