Out of all multi-factor authentication solutions I know of, Web Authentication is our best technical response to the scourge of phishing. Tying public-key cryptography into web logins, it dramatically raises the bar for phishing: From a simple confusable website and replay attack, to an HTTPS network man-in-the-middle. In practice, Web Authentication forces adversaries to move to attack account recovery methods, which often have stronger controls than a standard login.
The specification is large <https://www.w3.org/TR/2019/PR-webauthn-20190117/>, with many backward compatibility pieces that Firefox is likely to never need to implement. The compatibility pieces are useful for providing the installed base of existing FIDO or TCG devices a path forward. The core website functions aren't so complex; Duo's explainer is very good, at https://webauthn.guide/ . There's also forward-extensibility, leading toward a password-less future built on digital signatures rather than disclosing shared secrets. Web Authentication is now supported by Edge, Firefox, and Chrome. Safari support is experimental. Websites have been slower to pick it up. Major sites I now of: For the United States, https://login.gov/ uses it -- so as an example applying for the Global Entry traveler program will exercise a Web Authentication security key, if you choose. Dropbox <https://blogs.dropbox.com/tech/2018/05/introducing-webauthn-support-for-secure-dropbox-sign-in/> has also supported Web Authentication since Firefox 60 shipped. Most other major properties have indicated they'll support Web Authentication sooner or later. Try it out at at https://webauthn.io/, https://webauthndemo.appspot.com/, https://demo.yubico.com/webauthn/, or even the lowly https://webauthn.bin.coffee/. I encourage Mozilla to support advancement of Web Authentication to a Recommendation, and its end-goal of a phishing-free future. (Or at least, a much-reduced prevalence. Really, I just wanted to write and imagine 'phishing-free.' Can you blame me?) Cheers, J.C. [n.b., I'm an editor on this spec...] On Thu, Jan 31, 2019 at 5:58 PM L. David Baron <dba...@dbaron.org> wrote: > A W3C Proposed Recommendation is available for the membership of > W3C (including Mozilla) to vote on, before it proceeds to the final > stage of being a W3C Recomendation: > > Web Authentication > https://www.w3.org/TR/webauthn/ > Deadline for responses: Thursday, February 14, 2019 > > If there are comments you think Mozilla should send as part of the > review, please say so in this thread. Ideally, such comments should > link to github issues filed against the specification. (I'd note, > however, that there have been previous opportunities to make > comments, so it's somewhat bad form to bring up fundamental issues > for the first time at this stage.) > > Given that we implement this specification, one of the editors works > for us, and have been supporting this work for a while, I'm assuming > we should support this advancement as well... > > -David > > -- > 𝄞 L. David Baron http://dbaron.org/ 𝄂 > 𝄢 Mozilla https://www.mozilla.org/ 𝄂 > Before I built a wall I'd ask to know > What I was walling in or walling out, > And to whom I was like to give offense. > - Robert Frost, Mending Wall (1914) > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
