+1 and thank you for all the hard work on the spec and landing so much in FF, JCJ!!!
On Fri, Feb 8, 2019 at 4:09 PM J.C. Jones <j...@mozilla.com> wrote: > Out of all multi-factor authentication solutions I know of, Web > Authentication is our best technical response to the scourge of phishing. > Tying public-key cryptography into web logins, it dramatically raises the > bar for phishing: From a simple confusable website and replay attack, to an > HTTPS network man-in-the-middle. In practice, Web Authentication forces > adversaries to move to attack account recovery methods, which often have > stronger controls than a standard login. > > The specification is large > <https://www.w3.org/TR/2019/PR-webauthn-20190117/>, with many backward > compatibility pieces that Firefox is likely to never need to implement. The > compatibility pieces are useful for providing the installed base of > existing FIDO or TCG devices a path forward. The core website functions > aren't so complex; Duo's explainer is very good, at > https://webauthn.guide/ > . There's also forward-extensibility, leading toward a password-less future > built on digital signatures rather than disclosing shared secrets. > > Web Authentication is now supported by Edge, Firefox, and Chrome. Safari > support is experimental. > > Websites have been slower to pick it up. Major sites I now of: For the > United States, https://login.gov/ uses it -- so as an example applying for > the Global Entry traveler program will exercise a Web Authentication > security key, if you choose. Dropbox > < > https://blogs.dropbox.com/tech/2018/05/introducing-webauthn-support-for-secure-dropbox-sign-in/ > > > has also supported Web Authentication since Firefox 60 shipped. > > Most other major properties have indicated they'll support Web > Authentication sooner or later. Try it out at at https://webauthn.io/, > https://webauthndemo.appspot.com/, https://demo.yubico.com/webauthn/, or > even the lowly https://webauthn.bin.coffee/. > > I encourage Mozilla to support advancement of Web Authentication to a > Recommendation, and its end-goal of a phishing-free future. (Or at least, a > much-reduced prevalence. Really, I just wanted to write and imagine > 'phishing-free.' Can you blame me?) > > Cheers, > J.C. > [n.b., I'm an editor on this spec...] > > > > On Thu, Jan 31, 2019 at 5:58 PM L. David Baron <dba...@dbaron.org> wrote: > > > A W3C Proposed Recommendation is available for the membership of > > W3C (including Mozilla) to vote on, before it proceeds to the final > > stage of being a W3C Recomendation: > > > > Web Authentication > > https://www.w3.org/TR/webauthn/ > > Deadline for responses: Thursday, February 14, 2019 > > > > If there are comments you think Mozilla should send as part of the > > review, please say so in this thread. Ideally, such comments should > > link to github issues filed against the specification. (I'd note, > > however, that there have been previous opportunities to make > > comments, so it's somewhat bad form to bring up fundamental issues > > for the first time at this stage.) > > > > Given that we implement this specification, one of the editors works > > for us, and have been supporting this work for a while, I'm assuming > > we should support this advancement as well... > > > > -David > > > > -- > > 𝄞 L. David Baron http://dbaron.org/ 𝄂 > > 𝄢 Mozilla https://www.mozilla.org/ 𝄂 > > Before I built a wall I'd ask to know > > What I was walling in or walling out, > > And to whom I was like to give offense. > > - Robert Frost, Mending Wall (1914) > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > -- Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] 1401 K ST NW STE 200, Washington DC 20005-3497 e: j...@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 Don't miss out! CDT's Tech Prom is April 10, 2019, at The Anthem. Please join us: https://cdt.org/annual-dinner/ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
