Design Review #687

#687: WebAuthn minPinLength

Opened Nov 5, 2021

I'm requesting a TAG review of the minPinLength extension of CTAP 2.1, which would be exposed via WebAuthn.

In order to help organizations with meeting regulatory requirements, the current standard for security keys (CTAP 2.1) defines an extension called minPinLength. This allows the authenticator to report, when a credential is created, the authenticator's current configured minimum PIN length. Since the minimum can only be decreased by resetting the security key, which erases all credentials, an enterprise that uses this extension knows that the minimum was enforced whenever that credential is used.

Explainer: https://github.com/w3c/webauthn/wiki/Explainer:-minPinLength
Specification URL: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-minpinlength-extension
Tests: https://chromium-review.googlesource.com/c/chromium/src/+/3256056/4/third_party/blink/web_tests/external/wpt/webauthn/createcredential-minpinlength.https.html
Primary contacts (and their relationship to the specification):
- Adam Langley (agl), Google
Organization(s)/project(s) driving the specification: Microsoft

Further details:

I have reviewed the TAG's Web Platform Design Principles
The group where the work on this specification is currently being done: FIDO

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a comment in this issue

Discussions

Discussed Nov 1, 2021 (See Github)

Dan: hadley left a comment.. I can't see any issue, looks like a small thing, recommend we close approved, small delta to existing spec. If anything it adds security.

Peter: there was something weird about where the minpinlength is specified, only works for certain origins or something. Last paragraph..

Dan: now I'm re-reading that I'm realising what explicitly preconfigured means. I had assumed it meant something like a header. But ..

Peter: set on the key through some out of band mechanism.

Dan: what do they mean by preconfigured? Sending special ctap messagse to the security key..

Peter: not exposed over the internet. A company can preconfigure the key..

Dan: that's okay. As long as it doesn't require some kind of allowlist in the browser that makes sense. Those keys need to be configured somehow, out of band.

Peter: if it's purely on the key... i think this is okay. Okay closing this.

Dan: [closed]

Breakout C

Dan: reopened same-origin preredinger triggered by speculation rules because speculation rules was brought into wicg. There are a lot of potential unintended consequences of trying to prerender something. A lot we could think of were taken into account in the spec and explainer. They had a good story around privacy and security. Choice on what to prerender shouldn't happen based on knowledge the client might have, and things like that. The issues still remains what's the story with speculation rules - no signals. We have new contacts for it.

Discussed Nov 1, 2021 (See Github)

Dan: we discussed it, seems like a small change, but they want us to review. If we think its fine we just need to say that. Make it a short review.

Comment by @hadleybeeman Nov 10, 2021 (See Github)

Hi @agl! We're just having a look at this issue — it just seems that you're just adding this feature to WebAuthn. Are you expecting there to be any web architectural issues? Or is the issue just to ask if we see any?

We can have a look, but if you're just adding to WebAuthn and the ramifications will all be within WebAuthn, we don't need to check it. :)

Comment by @chrishtr Nov 15, 2021 (See Github)

We can have a look, but if you're just adding to WebAuthn and the ramifications will all be within WebAuthn, we don't need to check it. :)

Hi Hadley,

While this might end up being just a simple addition to WebAuthn, it's hard to tell with web platform features when this is the case, or if there is some other unforeseen complication or relation to another feature. That's why the Blink process asks for a TAG review for all new features, even if they appear to be very small.

If it would help, maybe there could be a bit TAG review requesters could set that says something like "I think this feature is trivial/very simple", but IMO it will still be hard to judge, for the reason mentioned above.

I think it'd be better if the TAG could just quickly review situations like this review, and if it does appear to be entirely simple and self-contained, just resolve the review as satisfied, with a comment delegating trust that the spec WG's consensus system already covered it.

Comment by @torgo Nov 24, 2021 (See Github)

Hi @agl @chrishtr thanks for this. We've spent some time going through it this week and we're happy with the design and happy with closing this based on the information provided. Great to see security being boosted on the web.