Open Bug 1821785 Opened 1 year ago Updated 1 month ago

Add a prompt select between platform and cross-platform authenticator

Categories

(Core :: DOM: Web Authentication, enhancement, P2)

Product:
Core
Component:
DOM: Web Authentication
Type:
enhancement

Tracking

()

People

(Reporter: jschanck, Unassigned)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

macos13-choose-device.png
1.66 MB, image/png
Details

In response to a MakeCredential request that does not specify an authenticator attachment, if we detect that a platform authenticator is available (e.g. Touch ID), we should prompt the user to choose between the platform authenticator and an external security key.

I've attached a screenshot of the prompt from Safari on macOS 13 with iCloud keychain enabled.

We'll also need a prompt when using a credential. Although, in that case, we'll only show that prompt if we detect a usable credential on the platform authenticator---otherwise we'll assume that the user needs to connect an external security key.

Please let me know if this is the wrong place to be posting input on the feature.

I have yet to dig deep into the SDKs for Passkeys as Apple calls them, but one should bear in mind that as of the latest iOS/macOS available (16.4.1 (a)), Apple does not offer the option to use the local device as the authenticator. Instead one is required to use iCloud Keychain or an external authenticator.

The (public) rationale for this is that it prevents lockout if a user loses their device with the authenticator a on it, and provides a better user experience. Not wanting to start a battle of opinions over Apple and their implementation, the following are know to be the case:

  • The iCloud Keychain authenticator method involves uploading the private key to the iCloud account, in an encrypted format where the key is protected by the user password and an account specific key. This is inherently less secure than using the Secure Enclave (TPM) built into the hardware as a platform authenticator. (Reference: https://www.slashid.dev/blog/passkeys-deepdive/)
  • Passkey attestation data appears to be incomplete (source: above article)
  • The current passkeys implementation mandates either the use of iCloud for the convenience of authenticating on the user’s current device, or the use of an external authenticator.

I would suggest that it is preferable not to require users to use iCloud as a prerequisite for using a better, more secure authentication mechanism than passwords.

Hey John, Is there a better place to follow the work on this than this ticket and bug 1536482?

Depends on: 1853230
See Also: → 1865379
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: