[Webkit-unassigned] [Bug 202427] New: WebAuthn Client tweaks for Google's Login System

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 1 12:55:41 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=202427

            Bug ID: 202427
           Summary: WebAuthn Client tweaks for Google's Login System
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: aczeskis at google.com

***Background***
Google launched support for U2F Security Keys long before FIDO2/WebAuthn existed.  As a result all Security Keys registered to Google Accounts are "bound" to the appID https://www.gstatic.com/securitykey/origins.json.

The add-account-flow in Android is burned in by OEMs and cannot be updated — as a result, many Android devices only know how to speak U2F to authenticators.  If Google were to begin registering Security Keys over WebAuthn — specifically, using an RP ID rather than an appID — Google users with Security Keys would not be able to sign into their accounts on the aforementioned Android devices.  While Google intends to move fully to WebAuthn, the transition will take some time.


***Tweaks for create()***
The following describes the necessary behavior for any WebAuthn Client (that does not also provide a U2F API or that wants to deprecate its U2F APIs) so that users may register security keys with Google accounts.

Google will eventually deprecate this behavior, therefore this behavior SHALL be controlled by a (new) WebAuthn registration extension "googleLegacyAppidSupport", which will take in a single boolean value.  When set to true, the "legacy behavior" defined below will be enabled; when set to false, the behavior will be disabled.  When not specified, the value of this extension is false. 

When receiving a WebAuthn create() request with an RP ID of google.com and the googleLegacyAppidSupport value set to true, the WebAuthn Client MUST: 1) only use the U2F transport protocol, 2) communicate only with roaming authenticators (that support U2F), and 3) use a hard-coded appID of https://www.gstatic.com/securitykey/origins.json


***Tweaks for get()***
We have previously filed bugs that describe the necessary WebAuth Client behavior changes here:
https://bugs.webkit.org/show_bug.cgi?id=196046

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191001/97e9a64a/attachment.html>

More information about the webkit-unassigned mailing list