-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
browser.secureStorage: Discuss how to handle platforms with limited control over authentication methods #190
Comments
Just took a brief look at Android's biometric authentication APIs and it appears that they also don't let you specify a particular authentication method. Instead, developers declare whether they want to require I also briefly looked into the Web Authentication API (WebAuthN) and played with the demo at https://webauthn.io/. I'm very new to this API, but when creating new |
Thanks for poking @dotproto! Good to know that Android is similar and those classes sound sensible (it's actually not far off what I already have in the proposal but I guess I think the hard balance here is definitely between two things:
If we do use the classes approach that doesn't solve the Windows Hello issue. We still need to figure out how we would say that any class is fine, probably using an |
I had a short, very early conversation with a member of Chrome's security team today regarding
I'm tentatively expecting that we'll be taking a harder look at this proposal over the coming weeks. |
Thanks for starting some conversations here @dotproto, super exciting!
I'm open to this and I think it lines up with the different biometric categories (WEAK, STRONG) that you were proposing.
It looks like this quote was in response to a comment pointing out that "In Android app, at least we can control which authenticator models (fingerprint, PIN...) can be used to authenticate." It seems this user had a very similar goal to us and wanted to be able to control which type of biometrics were offered. I think the response actually misses that point and seems to be assuming the user wants to be able to know which of many enrolled fingers were used. I don't believe this was their use case, and it certainly isn't ours. The goal of this proposal is to offer biometrics in the browser, and if we can show a Touch ID prompt and verify an enrolled finger has been presented, we're happy for that to be any of the fingers which have been enrolled.
This is what makes me think that starting with a WebExtension API is the right approach. I'd love to see something that works for the whole web and to that end, I've had conversations with people in the WebAuthn space to see if we could use what they're building - but it feels like a solution in that domain is a way out unfortunately. |
I had a conversation about this internally and we agreed that given the lack of control on some platforms, we likely wouldn't be too opinionated here. It seems reasonable to provide a small number of options in the API and then trust browsers to make a sensible choice beyond that. I'd like to take on board the feedback about being more generic but I still don't think we've solved the Windows case where we have no control over the biometric whatsoever. To keep things moving along I'll kick things off with a proposal to support the following:
On devices with no control like Windows, the What are the thoughts on that? |
Closing this. I am still personally interested in the API but there hasn't been any recent movement on implementation. With that in mind, it doesn't feel worthwhile updating the proposal. From Chrome's side, we see the use case for the idea at a very high level but are worried about the number of implementations for different platforms that would be needed (using macOS / Windows Hello APIs etc.) and the long-term support costs even after this was implemented across all platforms. |
Currently, the browser.secureStorage proposal relies on an authentication array which the developer can use to require specific types of authentication (for example, only face or fingerprint based biometrics).
However, I recently found out that with some implementations (like Windows Hello), it isn't currently possible to specify this and you must request authentication without any control over if biometrics or another method like a PIN code is used.
This is already the case for desktop apps using Windows Hello, so isn't a huge concern, but we should find a way of making it clear to developers that we can't guarantee what auth method secrets are protected by. My first thought is some sort of "*" authentication method that you are forced to pass in on Windows but I'm open to better suggestions.
cc/ @mukul-p - I think this is a Windows API limitation but maybe you have thoughts/there is a way of doing this.
The text was updated successfully, but these errors were encountered: