[Webkit-unassigned] [Bug 202427] New: WebAuthn Client tweaks for Google's Login System
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 1 12:55:41 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=202427
Bug ID: 202427
Summary: WebAuthn Client tweaks for Google's Login System
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: Platform
Assignee: webkit-unassigned at lists.webkit.org
Reporter: aczeskis at google.com
***Background***
Google launched support for U2F Security Keys long before FIDO2/WebAuthn existed. As a result all Security Keys registered to Google Accounts are "bound" to the appID https://www.gstatic.com/securitykey/origins.json.
The add-account-flow in Android is burned in by OEMs and cannot be updated — as a result, many Android devices only know how to speak U2F to authenticators. If Google were to begin registering Security Keys over WebAuthn — specifically, using an RP ID rather than an appID — Google users with Security Keys would not be able to sign into their accounts on the aforementioned Android devices. While Google intends to move fully to WebAuthn, the transition will take some time.
***Tweaks for create()***
The following describes the necessary behavior for any WebAuthn Client (that does not also provide a U2F API or that wants to deprecate its U2F APIs) so that users may register security keys with Google accounts.
Google will eventually deprecate this behavior, therefore this behavior SHALL be controlled by a (new) WebAuthn registration extension "googleLegacyAppidSupport", which will take in a single boolean value. When set to true, the "legacy behavior" defined below will be enabled; when set to false, the behavior will be disabled. When not specified, the value of this extension is false.
When receiving a WebAuthn create() request with an RP ID of google.com and the googleLegacyAppidSupport value set to true, the WebAuthn Client MUST: 1) only use the U2F transport protocol, 2) communicate only with roaming authenticators (that support U2F), and 3) use a hard-coded appID of https://www.gstatic.com/securitykey/origins.json
***Tweaks for get()***
We have previously filed bugs that describe the necessary WebAuth Client behavior changes here:
https://bugs.webkit.org/show_bug.cgi?id=196046
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191001/97e9a64a/attachment.html>
More information about the webkit-unassigned
mailing list