130 likes | 152 Views
Federations in a WebAuthn World. Something to think about (Leif wanted a more crap-your-pants scary title). What is WebAuthn?.
E N D
Federations in a WebAuthn World Something to think about (Leif wanted a more crap-your-pants scary title)
What is WebAuthn? “This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.“ • https://www.w3.org/TR/webauthn/ • Will allow web apps to trust a strong biometric authentication as a credential that is specific only to that service. • IdPs are not required - this is a direct service-to-user relationship • Attribute Authorities will absolutely have a role • What role to federations have?
https://en.wikipedia.org/wiki/WebAuthn#/media/File:Passwordless_Web_Authentication.svghttps://en.wikipedia.org/wiki/WebAuthn#/media/File:Passwordless_Web_Authentication.svg Tom Scavo - CC BY-SA 4.0
Why do this? • Attacks on OTP-based authn is now fully automatable • OTP-based systems make for horrible UX
We’ve heard this story before... • The smartcard is going to win…. yeah right ! • Only this time the smartcard “driver” moved into the browser and...
Hey presto! • Supported in EDGE, Chrome, FF • Almost ready in Safari for MacOS • Pre-released in Safari for iOS As far as browser support goes, that’s the full monty!
Check your assumptions at the door! • Authentication no longer automatically means password • The default “user recognized” UX for login does not involve a password • Strong authentication no longer means password + something • MFA is no longer best-in-class • Authentication is no longer enough to motivate having an IdP • SSO is “for free” directly at the SP
Implications for IdP Operators • Your IdP has to provided attributes in order to add value • Your MFA-strategy based on Google Authenticator is wrong • In fact… stop talking MFA and start talking Strong Authentication • Login UX not based on FIDO2 will seem “odd” to users - a bad place to be
Implications for Federation Operators • Your IdPs need help to sustain value! • SSO is not enough of a foundation on which to build your kingdom • Research-oriented IdPs can now do all your campuses can do - only faster • Stop talking about MFA - start talking about Strong Authentication
Who has their eyes on this? • Who is implementing services towards this standard? • Duke University • eduID.se • login.gov
REFEDS Is there anything here for REFEDS to do (other than watch this space)?