[webkit-dev] Request for position: WebAuthn minPinLength

Adam Langley agl at chromium.org
Fri Nov 19 16:18:23 PST 2021

Dear WebKit,

As part of the Blink process we're seeking any input that WebKit may have
on the minPinLength extension in WebAuthn. What follows is the explainer
<https://github.com/w3c/webauthn/wiki/Explainer:-minPinLength> for this

Security keys are physical devices, often USB-connected, that can create
public–private key pairs and sign with the private keys to authenticate a
user. Websites can use them via the WebAuthn API
<https://www.w3.org/TR/webauthn-2/>. Several major sites allow users to
register security keys for better account security, for example, Microsoft,
Dropbox, GitHub, Google, and Facebook, to name a few.

Expert / high-sensitivity accounts are one user cohort, but security keys
are also used by enterprises and governments. In the latter contexts, they
can form part of a compliance system, for example for both public and
private sectors SP800-63-3
<https://pages.nist.gov/800-63-3/sp800-63b.html#memsecret> requires
user-selected memorized secrets (e.g. PINs) be a minimum of 8 characters.
In order to meet SP800-63-3, enterprises can use the user verification
<https://www.w3.org/TR/webauthn-2/#user-verification> feature of WebAuthn,
which involves local entry of a PIN or use of a fingerprint reader on the
security key. However, such compliance regimes often have requirements for
minimum PIN lengths greater than the default minimum
4 characters.

In order to help organizations with meeting such regulatory requirements,
the current standard for security keys (CTAP 2.1
defines an extension called minPinLength
This allows the authenticator to report, when a credential is created, the
authenticator's current configured minimum PIN length. Since the minimum
can only be decreased by resetting the security key, which erases all
credentials, an enterprise that uses this extension knows that the minimum
was enforced whenever that credential is used.

In order to prevent just any site from requesting this information, the
security key will only report the current minimum PIN length for sites that
have been explicitly preconfigured. This configuration has to be done
directly, by sending special CTAP messages
the security key. This API is not exposed over the internet. The envisioned
process is that an enterprise will enable minimum PIN length reporting for
its sign-in domain manually, on each security key, before distributing them
to employees.

The CTAP 2.1 minPinLength extension can be exposed to the Web via
WebAuthn's existing extensions mechansim
This request is being submitted as part of the Blink process because Blink
proposes to so expose it.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20211119/ffa69bf0/attachment.htm>

More information about the webkit-dev mailing list