WICG
Add details about the Cross-device experience for the Digital Credentials API
The current Digital Credentials Web API specification only briefly mentions cross-device functionality, stating it "supports implementing cross-device experience with proximity checks." This is too vague for developers.
This issue proposes adding a new section to the specification that details the cross-device experience, specifically:
-
How a user's smartphone can act as an authenticator for a second device, like a laptop or desktop computer.
-
That this flow leverages the Client to Authenticator Protocol (CTAP), which is the same protocol used in FIDO2.
-
The step-by-step authentication flow, including how proximity checks and biometric authorization on the mobile device are used to securely authorize the transaction.
-
The corresponding Security Considerations: the importance of secure, short-range communication channels (like Bluetooth Low Energy or NFC) for the proximity check, as well as the use of cryptographic keys to secure the communication between the devices.
I agree there might be some security considerations here, but I wonder if they are covered by CTAP already?
I think this is better suited for developer docs than the spec (e.g. digitalcredentials.dev).
We could just remove:
"supports implementing cross-device experience with proximity checks."
Yeah, @timcappalli might be right... however, we could still make some non-normative mention of this in the spec's security considerations section as it's a really common case, right?
People reading the spec might rightfully ask "how does the cross-device stuff work securely?", to which we could say something like .. "Although cross-device protocol issuance and request protocols/formats are out-of-scope, data exchange is often handled by standards like [CTAP]. Please see FIDO Security Reference for how it works securely." or something.