- edited description
Mitigating security risk by using WebAuthn in cross-device SIOP
Issue #1273
resolved
In 2021-07-27 SIOP special call it was agreed that the most effective way to mitigating MITM/phishing attacks in cross-device SIOP is to use WebAuthn for the session creation and many people expressed interest in writing up a specification how to do so and issue a WebAuthn credential to the claims returned in SIOP response.
Related to Issue #1257 and Issue #1269
just pinging few people @Pamela Dingle @John Bradley @David Waite @{602db0779f84a90069f2eb09} @Tim Cappalli
Comments (8)
-
reporter
-
I have started drafting a Security Considerations section and would appreciate any feedback: https://docs.google.com/document/d/1gWBV8Nhisdq-Pge_NgRXnfvVo5PMU9qvnhsq9vl84b8/edit?usp=sharing
I’ll join the atlantic call next Thursday to discuss this.
-
reporter
At SIOP call a month ago we discussed a proposal, and it was to use WebAuthn to strengthen self-attestation nature of SIOP-based authentication.
We could add this to security considerations section in SIOP? that using WebAuthn as additional authentication is an option?
-
Account Deactivated
My (possibly limited) understanding of how using WebAuthn to securely support cross-device is: the authenticating device performs the WebAuthn enrollment via its local browser with the user’s authenticator, and then that same authenticator must be used again on the initiating device to complete the authentication.
It will require either a separate hardware authenticator that can be used across both devices, or a platform-level authenticator that automatically synchronizes on devices already linked to the user.
That’s pretty restrictive, but it would be secure and only have to be performed once.
-
reporter
Based on the SIOP call discussions we should add a non-normative text in SIOP v2, that we will consider using "WebAuthn based invocation" such as caBLE when and if it is realized, and close this issue.
-
reporter
- changed status to open
On Sept-30-2021 SIOP call we discussed that caBLE is very promising to mitigate cross-device security, but is few years away from being ready, and considered adding a general non-normative language on using proximity between RP and SIOP as a cross-device security enhancement
-
Jeremie said “My (possibly limited) understanding of how using WebAuthn to securely support cross-device is: the authenticating device performs the WebAuthn enrollment via its local browser with the user’s authenticator,”
Whilst it is true that the authenticating device performs WebAuthn enrolment, this does not need to be via browser. Native apps can perform enrolment directly with the RP, and the RP can (in the FIDO protocol) demand a ceremony between the user and the device. This ceremony can mandate such things as, the user is present, the user performs some action to authenticate to the device, and the authenticator must be on the device itself (so called platform authenticator) and not on some external USB hardware.
So FIDO has the potential to be more secure than most other authentication mechanisms. The only weakness we have identified so far is that multiple biometrics may be stored on the device (e.g for parent and child) and all can claim ownership of the FIDO private key. The device is not able to differentiate between the different people (with fingerprint recognition). However Google is working on a mechanism for mDL in which the same biometric that was used during enrolment must be used during credential presentation.
-
reporter
- changed status to resolved
We discussed this number of times and consensus is that this is an implementation consideration and no changes to a normative spec are required.
- Log in to comment
