New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Indicate resident key credential "preferred" during registration and find out what the authenticator offered #991
Comments
I think this sounds like a good idea for L2. |
@sbweeden out of scope for L1 moved to L2 |
It may be a smoother registration flow to try resident and fall back, |
This is a great idea |
Let's make a PR for this. |
To kick off the solutioning discussion - how do we expose this as part of the WebAuthnAPI? I don't know enough about CTAP2 to know if this is viable, but from a pure WebAuthn/RP perspective, here's a suggestion to start with that attempts to preserve backwards compatibility with the existing API. There are other options such as extensions, however I prefer not to go down the extensions route as I think it is important that all user-agents support this capability and therefore it be part of the core API. Currently in L1, Part 1 - Allowing the RP to express that resident keys are "preferred", if supported, but that it's ok to fallback to non-resident
Only one of Logically,
The new functionality is exposed via the Part 2 - How authenticators report on what type of key was provisioned (resident / non-resident) Again there are several options including:
My suggestion is to consider using one of the flags bits (e.g. bit 5). The flag could be used during both the registration ceremony (to indicate whether resident key was provisioned or not), and authentication ceremony (to indicate if a resident key was used). The latter is not really necessary because the server could remember if the CPK was resident following the registration ceremony. Other considerations The algorithm for creating a new credential (https://w3c.github.io/webauthn/#createCredential) will need to be updated to consider new processing rules for Similarly, section 6.3.2 (https://w3c.github.io/webauthn/#op-make-cred) requires update in a couple of places, which probably also means CTAP2 requires update. If the above suggestion were to be implemented, the IDL Index (https://w3c.github.io/webauthn/#idl-index) would also need updating. |
Thanks @sbweeden, I think this looks pretty good as a starting point, but (re @leshi) I think we need more discussion on the deeper implications of this before we're ready to move forward with a PR. Part 1: WebIDL APII mostly agree with your draft, but I would rename
And the client/authenticator behaviour would be:
We could also add a Part 2: Authenticator reportThis is where it gets tricky. Any change we make to what the authenticator returns will require changes to authenticators, and whatever solution we think up for L2, it will still be near impossible to know for sure whether a L1 authenticator created an RK or not. This means we probably need some way for the authenticator to signal that it's a L2 authenticator. For example, if we set a new flag bit to 1 to mean RK, then 0 could mean either "not RK" or "L1 authenticator (maybe RK)". Like the RK indicator, there are a few ways we could add an L2 signal:
I agree that putting this in extension data is not ideal, but it might be the best option here since a single reserved bit isn't quite enough. What do others think? |
I can see an argument for the RP to create a credential that can only be used with an allow list. I however don't think it will get used much, but if we think we may want prohibited now would be the time to add it. It would make it clear to some platform authenticators that they need to require an allow list even if the credential is storred locally. I suspect the best way to report back is extension data. The custom bits will get used too quickly. |
Ah, I hadn't considered that aspect of it, that does make sense. One issue with unsolicited extensions is that RPs that implement the L1 RP operations as written would reject L2 authenticators, so if we want to go down that route it's probably best to try to move this quickly - maybe even issue errata for the L1 RP ops. |
The point of this proposal is not really centred on an argument that the RP wants to create a credential with an allowList. It's centred on the fact that many authenticators (including existing U2F authenticators) are incapable of creating a resident key credential and the RP doesn't want to prevent them from registering, and more to the point wants to allow them to register in one go, without an error experience. |
@sbweeden and @equalsJeffH to work on creating PR |
I think Jeff had ResidentKeyRequirement prohibited in a previous proposal. [issue #1149] The only reason I can think of for someone wanting that is so the credential would require an allow list. Some authenticators always make resident credentials even if non-resident is requested. Those credentials do currently show up if no allow list is sent. If we don't have a real use case for forcing non-resident, then we should probably not include it. If people are doing a second-factor flow they probably should not be asking for preferred. I think we need required, preferred and something like discouraged, indifferent, or ambivalent so that the user agent can prefer non-resident on roaming authenticators. More or less the existing behaviour with the addition of preferred. |
John's reasoning sounds right to me. |
In follow-up from the working group call on March 13 and other discussion here, the semantics of the Web IDL changes proposed by @emlun seem agreeable. There was also a preference amongst the majority of those who spoke up to use extensions to communicate what the authenticator actually used rather than a flags bit. This comes with the caveat that there will never be a guarantee that the RP will know if a resident key credential has been provisioned because all extensions are OPTIONAL. The hope is that the proposal is really useful and will therefore be adopted by clients and authenticators. The indication of resident/non-resident key type is really only needed as a registration extension, but might be useful also as an authentication extension as it could allow RP's to discover the type of credential for existing registrations that were created under L1. As such, I'll propose the following extension definition which covers both the create() and get() flows. If there is objection to using it on get(), then that part can be easily dropped. The extension is designed in a way such that if there are any other credential properties that might be of use, these can be included in the outputs dictionary. I've defined the extension as an authenticator extension as it is undefined as to whether or not the client has any way (other than for platform authenticators) to know what the authenticator provisioned or used. Clients may augment the extension output if they do have this knowledge. If anyone has further input on this, please chime in - I'm hoping to use the IDL updates proposed by @emlun plus this extension to form the basis of a PR for this issue. 10.10 Credential Properties ExtensionThis extension allows WebAuthn Relying Parties to query additional properties of the authenticator's credential created during a registration ceremony, or used during an authentication ceremony. Extension identifier Operation applicability Client extension input
Client extension processing Client extension output
Authenticator extension input Authenticator extension processing Authenticator extension output |
I'm positive to this idea, but I think we'd better try to make sure that nonstandard property additions don't collide with any standard properties added in the future. I see a few obvious ways to do this:
Alternatively we can just forbid nonstandard properties instead. What do others think? |
Way too much to read here... so I'll start afresh. I'll just add my 2'cs here: Just as we have a tri-state for UV, we need a tri-state for RK. And there's a very particular reason why an RP might want to do Forbidden/Disallows: If they really really really don't want to deal with PINs set up on tokens. I believe we now have consensus, that when a non-RK credential is created, EVEN IF A PIN IS SET UP ON A TOKEN, if UV=False, it will not require the user to enter a PIN during creation. I need a way to force that a credential is non-resident in order to get that behavior, hence this property. Actually, I think even if someone is making a resident credential, if UV=false it shouldn't require a PIN (or other form of UV), but this once seems to require more convincing. |
Cristian I see your argument for disallowed if CTAP changes the pin rules for creating non resident and keeps the pin as a requirement for resident. I think we still have a problem if in your tri state allowed is interprited as the platform making it resident if it can. I suspect that we really have 4 states. We don't really want authenticators returning errors for Forbidden. That would cause RP to avoid using it. I take it that what you want with forbidden is really just that the user is not prompted for PIN or UV just UP top make a credential. The allow list requirement is really just a way to get that based on the proposed CTAP changes. If CTAP didn't require a PIN/UV for make credential if UV is not required in the request then you might not need forbidden? Just trying to inderstand the interaction between this and the proposed CTAP changes. Not all authenticators have infinate space for resident credentials. |
With the introduction of "Forbidden: won't require a device pin or UV" I feel like the scope has expanded. Should we really try to cram all of these sematics into a single option, or should we instead do all of this in the new extension and let it both specify and query for credential properties? |
I think the model is ok, don't see why we don't just add |
@sbweeden to create PR |
There is an interesting usability discussion for password-less (and username-less) authentication in the FIDO-DEV group here: https://groups.google.com/a/fidoalliance.org/forum/#!topic/fido-dev/ALQj3JXuyhs |
@equalsJeffH @ve7jtb @emlun - can you guys take a look at PR #1191 and see if you think this is headed in the right direction? |
I think the Currently the client simply forwards the PR #1191 as currently written adds some logic where the client will contextually ignore authenticators based on their characteristics, but still ultimately sends the same So I think we need to either
(1) obviously has the downside of requiring change to CTAP as well, but it also comes with additional benefits for Thoughts on that? |
I don't know that forbidden is worth breaking CTAP for. I guess this could
be part of CTAP2.1
I think we need to discuss what Christian is looking for.
I think he wants to make a credential over CTAP that doesn't require a PIN
to create.
At the moment CTAP2.0 requires a pin or UV if it is set for the device.
So I suspect what he wants is going to need changes and a CTAP2.1
Our choices could be:
1) allow the creation of just non-resident credentials without pin
(probably needs forbidden to get the effect Christian wants)
2) allow the creation of both resident and non-resident without pin/UV
(wouldn't require forbidden)
I suspect that option 1 is less controversial than option 2, but we sort of
need to decide that before deciding if forbidden is required.
John B.
…On Tue, Mar 26, 2019 at 4:09 PM Emil Lundberg ***@***.***> wrote:
I think the forbidden value requires a breaking change to the
authenticator API.
Currently the client simply forwards the
options.authenticatorSelection.requireResidentKey (or false if not set)
to the authenticatorMakeCredential
<https://w3c.github.io/webauthn/#op-make-cred> operation. true means the
authenticator MUST create a client-side-resident credential, and false
means the authenticator MAY create a client-side- or a server-side-resident
credential at its discretion.
PR #1191 <#1191> as currently written
adds some logic where the client will contextually ignore authenticators
based on their characteristics, but still ultimately sends the same
requireResidentKey
<https://pr-preview.s3.amazonaws.com/sbweeden/webauthn/pull/1191.html#effective-resident-key-requirement-for-credential-creation>
parameter to authenticatorMakeCredential
<https://w3c.github.io/webauthn/#op-make-cred>. This is probably the best
we can do without breaking the authenticator API. However, when the
authenticator is capable of both client-side- and server-side-resident
credentials, then the existing Boolean requireResidentKey parameter to
authenticatorMakeCredential <https://w3c.github.io/webauthn/#op-make-cred>
doesn't capture the requirement that the authenticator MUST NOT create a
client-side-resident credential.
So I think we need to either
1. break the authenticator API, by introducing a new parameter that
replaces requireResidentKey, or
2. drop the forbidden value.
(1) obviously has the downside of requiring change to CTAP as well, but it
also comes with additional benefits for preferred and indifferent, as
authenticators capable of both storage modalities can then decide based on
context. For example, an authenticator with limited storage space could
create a resident credential when preferred if there are 10 or more
storage slots available.
Thoughts on that?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#991 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAD4J4F_lK05QcxswcO94euAiI_YI8NEks5vajg0gaJpZM4VLLRf>
.
|
For what it's worth, the addition of the |
Joining the party late. :) Too much to read here.. Requirements:
Let me know if I am not capturing the requirements correctly or missing something. My Recommendation: Input:
Where
Output:
|
@akshayku Do you mean that the |
It doesn't require CTAP changes. Platform will take care of this w.r.t CTAP communication.
|
Ok, in that case it seems to me more like "allowed" or "indifferent" than "discouraged" - because |
RP may have active preference for non-RK. Christiaan wants it so that PIN doesn't happen as that is where the general consensus is in FIDO community. But that should not be a absolute requirement, IMO, for the authenticators . An authenticator may want to do always user verification because of security levels or differentiation or whatever. Another RP may actually want it because, it is creating a bunch of credentials and storage is limited. So he may actually prefer non-RK. But from authenticators side, in some cases, there is no issue with storage or it can't/don't want to do non-resident keys. So we have to allow that also. RP wants one variable, which works across all kind of authenticators. Hence the fallback mechanism. |
Regarding |
Ok, but in that case we would have to issue errata for WebAuthn L1 also, since
Can we do that? I suspect there are platform authenticators that create an RK even if |
Whatever we are discussing if for next level. In that world, when |
Yes, but I took your previous remark to mean "we can redefine what |
What I meant was, IMO, defining WebAuthn deals with I will see how to define the correct behavior in CTAP spec. |
Notes from 2019-04-03 WG call:
|
…have changed the set of permitted ResidentKeyRequirement values back to one of discouraged, preferred, required.
…ments (#1191) * Initial proposal for modifications to resident key credential requirements to address #991 * No-op change to force re-check of ipr. * Change back to IBM * Resolve first round of feedback from @emlun * Fix editorial issue reported by @emlun * Add definition of non-resident credential and reference it in new ResidentKeyRequirement enum definitions. * Rewrite resident key option handling as switch statements * Incoporated meta-PR from @emlun and addressed current round of comments. * Based on comments from WG call on 2019-04-03 (captured in #991) I have changed the set of permitted ResidentKeyRequirement values back to one of discouraged, preferred, required. * Updates based on review feedback and discussion of WG call on 2019-04-17. * Address all review comments from week of April 17-24, 2019. * Address feedback from @agl * Minor update to credProps extension description per @emlun * Addressed comments from @equalsJeffH * Address a bunch of comments from @equalsJeffH that I missed in the conversation. * Additional review fix from @equalsJeffH * Fix minor typo spotted by @equalsJeffH * build on credProps dfn to formalize authnr/client processing * Minor edits to fix compile issue and grammar in the CredProps extension * Per WebAuthn call on May 1, 2019, remove authenticator extension component of the new credProps exception. * Address editorial comments from @emlun and @equalsJeffH * Minor editorials from @emlun
I'd like to revisit the scenario I was trying to achieve in the (now closed) issue #987
Why can't the "requireResidentKey" authenticator selection criteria be a value like "preferred", "required" or "never" instead of a boolean true/false? In addition the registration response could indicate residentKey true/false as a flag similar to the userPresent and userVerified flags, or in an extension.
That way, without knowing ahead of time if an authenticator is capable of resident key (even a portable security key), the relying party could request it with fallback to derived credential (without a hard error), then notify the user of what actually happened and therefore what scenarios their key might be used for (replacement for regular username/password authentication, or only 2nd-factor scenarios)?
The text was updated successfully, but these errors were encountered: