webauthn
webauthn copied to clipboard
w3c
continuous assertion
sorry if this is a bit half-baked, i'm not a security expert, just a casual webauthn enjoyer. I had an idea, inspired a bit by smart cards, about some sort of flow where a client can continuously make assertions as long as a key is plugged in (vs having to prove user presence each time). Cookies or tokens can be leaked/stolen, so a server authenticating via a security key would seems appealing (for example, each http request that a single-page app makes being signed by the key). I don't know how the client would ask for permission from the user to make a series of assertions instead of just one in a way that makes sense to the lay user, hopefully people more experienced than me have thoughts here.
@devsnek I think you are thinking about something like https://www.rfc-editor.org/rfc/rfc8705.html or https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop . The issue with the suggestion you have here is that user presence and interaction is a really core part of how these devices work, especially fido, so using this to "assert binding" is probably not completely possible.
The "right" answer is above, it's to use something like the rfcs listed where you trust-on-first-auth via webauthn, and then bind the session to that device somehow.
user presence and interaction is a really core part of how these devices work
Yes and no. At least CTAP2 actually can perform getAssertion without user presence (also called "silent authentication"), it's just that WebAuthn requires that browsers always set the "require UP" option. So we certainly could devise a WebAuthn operation that, for example, an RP could call once a minute or so to get a silent assertion (but probably only after one with user presence).
But the use cases and specifics are quite muddy beyond that. The kind of integration with HTTP envisioned here seems closely related to ideas discussed in #1255, which so far haven't gained any traction either.
user presence and interaction is a really core part of how these devices work
Yes and no. At least CTAP2 actually can perform
getAssertionwithout user presence (also called "silent authentication"), it's just that WebAuthn requires that browsers always set the "require UP" option.
Ahh yes, I was thinking the general case with things like TPM's or touchid etc. If we can guarantee it's ctap2, then sure. But I still think this might be better solved outside of webauthn since the end goal here is "bind a http session to a device".
@devsnek There would be consequences of this using the actual authenticator hardware. Specifically,
- The authenticator may have a transport that doesn't provide consistent connectivity (e.g. NFC)
- The authenticator may have throughput limitations on the number of requests it can make. A header authentication might result in quite a few transactions.
- Likewise, authenticators may take some non-immediate time to operate, although likely always below 1 second.
These may be impacted by the use of extensions as well, such as the device public key extension which may pull in both an additional signature and an attestation process.
This was discussed on the call of 2022-09-07. This style of continuous assertion is certainly interesting for dealing with cookie-theft, but for a variety of reasons the WG doesn't feel that it should be handled via WebAuthn currently.
Speaking for myself: there is enough interest in this area currently that I believe that something will appear in the next ~year which tries to address this, but not via WebAuthn.
Note that on some native platforms this kind of continuous assertion in a webauthn-compatible format is possible. Apple AppAttest is basically Webauthn without user presence bit set. https://developer.apple.com/documentation/devicecheck/validating_apps_that_connect_to_your_server
Having contious assertions available in Service Workers would be a neat way of implementing Proof of Possession.
Whether that has to go through the existing web credentials API is a good question but in my eyes it's a good fit.
