New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove unimplemented extensions #1386
Comments
We may be able to get two implementations of UVM. |
EXTS is also out due to no implementations. |
Transaction Authorization provides a simple and effective method to implement the PSD2 Dynamic Linking requirement. We might even want to find a way to allow Browsers supporting Transaction Authorization even with authenticators that don’t have a display. With that the Browser would send the transaction text to the Authenticator if the authenticator support displaying it, and the browser would display the transaction if the authenticator doesn't support transaction confirmation, e.g. most security keys. |
I agree a extension like that would be good. That may need to be a new extension however. The problem is mostly that the browsers are hesitant to display RP provided text in the browser chrome. That is probably the first issue that needs to be addressed. |
PSD2 Dynamic Linking requirement can be done without ANY involvement of FIDO/WebAuthn, I don't know why we would put this requirement on WebAuthn when it can be done elsewhere |
I advocate us deleting all the Level 1 extensions that have not been implemented in any shipping browser. Note that they can continue to be referenced in the L1 spec, even though they have been deleted from the L2 spec. |
I would also support removing these from L2. They can still be referenced in L1. |
Except for UVM, I also support this. |
Add Mike as a reviewer for pull request. |
Fixed by #1399 |
It's a great shame that txAuthSimple and txAuthGeneric were dropped from the spec. Is there any chance these will be reintroduced (either in their original form or in some new form) again? There already exist FIDO2 tokens with display (see below) and these extensions were perfect match for confirming transaction data on the device display. |
There were no implementations to meet the interoperability requirements to publish them within the WebAuthn specification. Furthermore, there were indications that browser and platforms would continue to not support the extension - mixing system UI with consent for security/privacy release with injected dynamic contact is a recipe for user confusion. What may be more feasible would be extensions for specific use cases without arbitrary text. For instance, a future extension might be imagined for approving financial transactions, where the request contains structured data and the authenticator or client fully controls the presentation of the request. |
I guess extension like txAuthSimple but with CBOR instead of a simple string would be nice. Can you please advice how to suggest this addition? I am unfamiliar with the process ... |
Note that the extensions will remain registered in the IANA Registry at https://www.iana.org/assignments/webauthn/webauthn.xhtml#webauthn-extension-ids and can still be used, if implemented. |
|
Long history, Jan (@jpstotz). FIDO2/WebAuthn was intended to be a merger of the original FIDO U2F and UAF protocols - the former designed primarily for browser platforms on desktops/laptops, and the latter exclusively for mobile rich client applications. As standards groups inevitably show us, the effort resulted in a third protocol that includes some features of U2F and UAF - but not all. The implementation page you referenced describes UAF implementations - they are the source of WebAuthn extensions which were defined in the L1 spec, but as W3C rules mandate, unless there are 2 confirmed, interoperable implementations, they cannot remain. Hence the debate about removing unimplemented extensions in L2. |
@jpstotz I believe the page you linked concerns support from authenticator vendors, but that is only half the picture. All WebAuthn extensions are explicitly declared to be optional for both authenticators and clients to support, so it's not enough that just the authenticator supports one. WG representatives for the major browsers have stated that they have no plans to implement support for these removed extensions, so they were removed in L2 to better reflect what's likely to be supported in practice. |
@emlun @arshadnoor Thanks for clarification. In my opinion the separation of the "passwordless authentication" into WebAuthn and CTAP2 managed by two organizations (W3C/FIDO) make it pretty hard to get the full picture of what is actually usable. Another level of confusion is the "level concept" of the WebAuthn standard. Typically if you use levels so level 2 includes or bases on level 1, but as the removal of extensions shows this is not the case in WebAuthn. A third dimension of confusion is introduced by FIDO as there are the Certified Authenticator Levels - again levels that have nothing to do with WebAuthn levels. Why not call it as it is a "version" so we have version 1.0 and an partially incompatible version 2.0. That would be in my opinion way more easy to understand. |
"Level" is a W3C term not unique to WebAuthn. At https://www.w3.org/TR/ you can find many more documents using this terminology. |
The removal was not a deprecation - the extensions are still valid to be used by their unchanged level 1 definitions. They were removed from the level 2 spec to better represent the reality that they do not work in the real world, and client implementations have indicated no interest in supporting them regardless of authenticator support.
The quick rule of thumb is that WebAuthn is a dependency of CTAP 2.x, not vice-versa. If there are things needed to use the Web Authentication API or to process messages which are not defined in the Web Authentication specification, then those are areas of improvement. The API defined in WebAuthn lists the sum capabilities exposed to the relying party through client javascript, including by authenticators which do not conform to CTAP. That includes defining extension mechanisms for new attestation schemes and message-level extensions. CTAP defines a few of the latter, including some which make no sense to expose in a browser javascript context. You also tend to have non-javascript API for interfacing with authenticators that reference the WebAuthn spec - for instance, native application APIs on Android, Windows, and iOS/macOS platforms. These usually define a mapping into native API of the JavaScript API, and may define additional rules around RPID validation (e.g. specified origin should have a file in a well-known location with certain contents) or entitlements (such as an optional capability for an app to operate for all RPID, such as a web browser). |
This extension has been removed from WebAuthn Spec here: w3c/webauthn#1386 It could still be used, but there was no concrete usage of it. If it were to be replaced, we should probably consider the payment extension: https://w3c.github.io/secure-payment-confirmation/
This extension has been removed from WebAuthn Spec here: w3c/webauthn#1386 It could still be used, but there was no concrete usage of it. If it were to be replaced, we should probably consider the payment extension: https://w3c.github.io/secure-payment-confirmation/
While it's already possible to explicitly require the `userVerified` flag during the registration and authentication ceremonies, it's possible that a server may want to provide differing behavior when a user was verified even if the ceremony expressed a preference of `preferred` or even `discouraged`. The common case here is to treat UV=1 as a two-factor auth, and UV=0 as a single (possession) factor, and adjust permissions or a sign-in flow accordingly. It's not strictly reliably accurate 100% of the time, and this alone is insufficient to know _which_ factors were used, but it's a close-enough assumption for the majority of use-cases. In any case, this library imposes no requirements that servers even look at this, but it provides the option. Note that in theory the [`uvm` extension](https://www.w3.org/TR/webauthn-2/#sctn-uvm-extension) should provide similar information, MDN (as of writing) [doesn't acknowledge](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API/WebAuthn_extensions) this value; I've had no success getting it to behave in any browser I've tested. w3c/webauthn#1386 / w3c/webauthn#1399 suggest it should continue to exist, but in practice that seems not to be the case.
At the F2F the work group decided to remove extensions that have not be implemented and are not testable from the Level 2 spec
The proposed list of extensions to be removed are:
Simple Transaction Authorization Extension (txAuthSimple)
Generic Transaction Authorization Extension (txAuthGeneric)
Authenticator Selection Extension (authnSel)
User Verification Index Extension (uvi)
Location Extension (loc)
User Verification Method Extension (uvm)
Biometric Authenticator Performance Bounds Extension (biometricPerfBounds)
and possibly
Supported Extensions Extension (exts)
Feedback on if this is the correct list.
please
The text was updated successfully, but these errors were encountered: