Feature request: Add API for android finger print reader #659
Comments
|
The Web Authentication working group is probably the right place to ask this, but I think this is out of scope for the Web Authentication spec. Web Authentication is an API specifically for creating and accessing public key credentials; biometrics is a separate concern. Web Authentication does specify an API for verifying the identity of the user, namely the Even if you don't use Web Authentication I would advise against using fingerprints directly as the proof of identity, because fingerprints are easy to copy and difficult to replace. In fact, fingerprints are arguably worse than passwords in this regard. Web Authentication solves this issue by allowing fingerprints, and/or other biometrics, to be used as a client-side lock, but the fingerprint is intentionally never visible to the Relying Party (server). In this way the actual credential, the public key, can be revoked and replaced if the authenticator is lost or stolen. It also prevents a security breach at one cloud service from leaking fingerprint credentials that could be replayed to forge logins elsewhere. |
|
I believe that browsers running on Android can treat the Android Keystore as an Authenticator and expose it through the WebAuthn API. I agree that it'd make sense to mention this somewhere in the spec or other documentation, but I don't think it needs any changes to the normative text. @battre, is that right? |
|
@emlun thanks for your input. I’m happy I finally found the right place 😄 I like the idea from @jyasskin. Are there possibilities where it matters how the client was securerly authenticated? Or is any other auth way as good as fingerprint? I just see the benefit of usability of fingerprint/face recognition. Think it’s definitely worth mentioning somewhere |
|
Great, I hope I didn't come across as condescending. :) WebAuthn does mention use of fingerprints as an example of user verification, but leaves the implementation unspecified and up to the authenticator - probably the browser and/or OS in the case of Android fingerprint scanners. The API available to the Relying Party is that it can request user verification, and the authentication operation will simply fail if the user can't provide the right fingerprint. Whether to use fingerprints specifically - or something else like PIN, password, face, iris, voice, whatever - is up to the authenticator and opaque to the RP, so if an authenticator such as a smartphone supports multiple verification methods it may allow the user to choose per request which authentication method to use. In summary: If you as an RP use the WebAuthn API and request user verification, you won't need to do anything else to support fingerprint login - the client side will take care of that for you if it's capable. On the other hand you won't be guaranteed fingerprint verification specifically, but instead it will automatically fall back to any other verification method available without any change on the RP side. Does that answer your questions? |
|
@emlun Not at all :) This does indeed answer my question. Thanks a lot! |
|
Great! I'll go ahead and close this issue, but please feel free to reopen it if you have any more questions. |
So, I wanted to develop a progressive web app where the user can log in with his finger print. But unfortunately there is no API on how to check the users finger is valid.
----- DISCLAIMER -----
I don't know if this is the wrong place to post a feature request. So if you could point me in the right direction, that would be awesome :)
What is the expected behavior?
So I see different very helpful use cases for this API:
Provide strong authentication with two factor authentication for an web app
Simple sign on process for web app
The registration process probably would look similar to the subscription process for web push notifications.
As I didn't see this explicit use case in the draft, I wanted to post this issue...
The text was updated successfully, but these errors were encountered: