Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

way to return a platform specific Name for the thing that gets registered. #1304

Closed
rlin1 opened this issue Sep 20, 2019 · 5 comments
Closed

Comments

@rlin1
Copy link
Contributor

rlin1 commented Sep 20, 2019

Today, when RPs ask the user to register a FIDO authenticator, it is difficult to learn what to ask the user for (Fingerprint, Security Key, FIDO Authenticator, ...).
Ideally they would ask "Do you want to register a FIDO Authenticator?" - but not all users might understand that.
On the other hand some platforms are pushing for their specific names (Windows Hello, TouchID, FaceID). But while guessing whether Windows is the underlying platform might be possible, distinguishing TouchID from FaceID is not that straight forward through JavaScript.

And most users might still primarily of the modality, e.g. "Do you want to use your fingerprint to authenticate?". But the leading modality is not easy to guess through JavaScript.

Note: Asking for "Do you want to register your Security Key?" is highly confusing when platform authenticators are being used.

Any thoughts?

@nadalin nadalin added this to the L2-WD-03 milestone Sep 20, 2019
@rlin1
Copy link
Contributor Author

rlin1 commented Nov 6, 2019

Idea: "Using this device to verify its you". But on Windows the preferred language is Windows Hello.

@equalsJeffH
Copy link
Contributor

on 2020-01-29 call: need platform folks' thoughts on this one.

@equalsJeffH
Copy link
Contributor

on 2020-02-19 call, @akshay reports that he's heard from RPs about this recently (they are having this issue...)

some folks concerned that anything returned might be used by RPs to discriminate unnecessarily between authnrs.

@arshadnoor
Copy link

I see two problems with this:

  1. By providing such information to RPs, the standard runs the risk of enabling the violation of privacy protections mandated by law in some parts of the world (all parts, if rationality prevailed). California's Consumer Privacy Act (CCPA) recognizes IP addresses and similar metadata as Personally Identifiable Information (PII). Yes, RPs have to conform to the law - not Standards organizations. But, if a protocol/standard leaks information that violates evolving/progressive privacy regulations, there is a good chance that influential non-technologists (lawyers) will kill the use of the technology to protect the company from liability;

  2. By shielding customers from understanding some of the UX semantics of FIDO-based authentication, we are perpetuating the problem: that of treating users as being incapable of using something a little different because of our own preconceived notions.

I would strongly encourage the FIDO Alliance and W3C to work on creating educational material to "lift users up" by giving them the knowledge they need to they know what to do with their brand/type of Authenticator when prompted to use their FIDO Authenticator, rather than to "dumb them down" further. In the long-term, educating users will be a win-win situation for everybody concerned.

(In case you're wondering what is the harm in shielding them from information they ought not to/might not care about, you only have to read the current headlines in newspapers to see the consequences of that strategy).

@equalsJeffH
Copy link
Contributor

2020-02-26 meeting: the room agrees that given the several opinions expressed above for not doing this, we will close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants