Biometric Criteria Extension #510
Conversation
index.bs
Outdated
| that could be leveraged when creating the credential. | ||
|
|
||
| : Extension identifier | ||
| :: `biometricBound` |
There was a problem hiding this comment.
the extension title is "Authenticator Biometric Criteria", yet the extension identifier is "biometricBound" which is inconsistent. FAR and FRR are "biometric matching criteria", yes? Perhaps the latter should be "biometricMatchingCriteria" ? And perhaps the section title ought to be "Biometric Authenticator Matching Criteria" ?
index.bs
Outdated
| :: Biometric performance bounds: | ||
|
|
||
| <pre class="idl"> | ||
| dictionary biometricCriteria{ |
There was a problem hiding this comment.
perhaps biometricCriteria should be authenticatorBiometricMatchingCriteria ?
index.bs
Outdated
|
|
||
| : Client extension processing | ||
| :: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports the Authenticator Biometric Criteria | ||
| Extension and biometric authenticators are available, it MUST use the first available biometric authenticator whose FAR and FRR match the bounds as provided. |
There was a problem hiding this comment.
we perhaps ought to define "biometric authenticators" up in terminology section, and then use [=biometric authenticators=] here.
There was a problem hiding this comment.
thanks @gmandyam. Other than needing to (i think) define the input in terms of CBOR/CDDL and some further wordsmithing, this seems overall ok. HTH.
index.bs
Outdated
| float FAR; | ||
| float FRR; | ||
| }; | ||
| </pre> |
index.bs
Outdated
| @@ -3093,6 +3096,43 @@ This [=registration extension=] and [=authentication extension=] enables use of | |||
| 01 -- Subitem 3: CBOR short for Matcher Protection Type Software | |||
| </pre> | |||
|
|
|||
| ## Biometric Authenticator Matching Criteria Extension (biometricBound) ## {#sctn-authenticator-biometric-criteria-extension} | |||
There was a problem hiding this comment.
I would title it:
"Biometric Authenticator Performance Bounds Extension"
index.bs
Outdated
| ## Biometric Authenticator Matching Criteria Extension (biometricBound) ## {#sctn-authenticator-biometric-criteria-extension} | ||
|
|
||
| This [=registration extension=] allows a [=[RP]=] to specify the desired performance of a biometric authenticator | ||
| that could be leveraged when creating the credential. |
There was a problem hiding this comment.
suggest:
This [=registration extension=] allows [=[RPS]=] to specify the desired performance bounds for selecting [=biometric authenticators=] as candidates to be employed in a [=registration=] ceremony.
index.bs
Outdated
| The FAR is the maximum false rejection rate for a biometric authenticator allowed by the [=[RP]=]. | ||
|
|
||
| : Client extension processing | ||
| :: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports the Authenticator Biometric Criteria |
There was a problem hiding this comment.
s/Authenticator Biometric Criteria Extension/this extension/
index.bs
Outdated
| :: Biometric performance bounds: | ||
|
|
||
| <pre class="idl"> | ||
| dictionary authenticatorBiometricMatchingCriteria{ |
There was a problem hiding this comment.
suggest:
s/ authenticatorBiometricMatchingCriteria/ authenticatorBiometricPerfBounds/
|
Thanks for review. Tried to address your comments in latest PR. Regarding CDDL, this extension is intended to terminate in the client and therefore has no required authenticator input. My interpretation of https://w3c.github.io/webauthn/#sctn-client-extension-processing is that CBOR definition is only required when a "client extension input can be used to determine the CBOR authenticator extension input." |
index.bs
Outdated
|
|
||
| : Client extension processing | ||
| :: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports the this | ||
| extension and at least one [=biometric authenticator=] is available, it MUST use the first available biometric authenticator whose FAR and FRR match the bounds as provided. |
There was a problem hiding this comment.
First off: s/the this/this/
Second:
If the client supports the this extension and at least one biometric authenticator is available, it MUST use the first available biometric authenticator whose FAR and FRR match the bounds as provided.
This formulation would likely be confusing with the new hot-plugging approach for create(). We no longer assume that there will be a single instant when you can list all "available" authenticators. Instead they will appear at some point (possibly immediately, e.g., platform authenticators) during the timeout, and the client can't know if the user will plug in an eligible biometric authenticator after the client has found a non-biometric authenticator. I therefore suggest reformulating this to something more like:
If the client supports this extension, it MUST NOT use a biometric authenticator whose FAR or FRR does not match the bounds as provided.
|
Thanks. Changes made; please review. |
index.bs
Outdated
| @@ -3861,6 +3864,45 @@ This [=registration extension=] and [=authentication extension=] enables use of | |||
| 01 -- Subitem 3: CBOR short for Matcher Protection Type Software | |||
| </pre> | |||
|
|
|||
|
|
|||
| ## Biometric Authenticator Performance Bounds Extension (biometricBound) ## {#sctn-authenticator-biometric-criteria-extension} | |||
There was a problem hiding this comment.
nit: s/sctn-authenticator-biometric-criteria-extension/sctn-authenticator-biometric-perf-bounds/
There was a problem hiding this comment.
suggest:
s/biometricBound/biometricPerfBounds/
index.bs
Outdated
| as candidates to be employed in a [=registration=] ceremony. | ||
|
|
||
| : Extension identifier | ||
| :: `biometricMatchingCriteria` |
There was a problem hiding this comment.
suggest:
s/biometricMatchingCriteria/biometricPerfBounds/
|
wrt #510 (comment) -- what do others think? |
|
Re #510 (comment) : Seems reasonable to me. The |
index.bs
Outdated
|
|
||
| : Client extension processing | ||
| :: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports this | ||
| extension, it MUST NOT use a biometric authenticator whose FAR or FRR does not match the bounds as provided. |
There was a problem hiding this comment.
How does client know these values? Are you expecting client to contact some authority who verifies it? FIDO metadata service?
There was a problem hiding this comment.
Yes, that is certainly one potential approach. Expectation is that authenticator would've gone through FIDO Biometric Cert, had its performance verified, and agreed to publish its performance data on the FIDO Metadata Service (MDS).
There was a problem hiding this comment.
This whole thing seems really brittle. It's more likely to provide a false sense of security than to actually be accurate.
There was a problem hiding this comment.
so the above text perhaps ought to additionally indicate that various platform-specific means (eg some possibly based on the MDS) are anticipated for the client platform to use in order to have knowledge of these values.
There was a problem hiding this comment.
Providing no data of this is kind is better than providing data that provides a false sense of security. Unless there are existing related deployments to cite that successfully use similar functionality, I would consider this too speculative to include in the specification.
Please consider creating a separate specification for this proposed extension. This could still be registered in the IANA WebAuthn Extensions registry, and therefore be available to implementers.
index.bs
Outdated
|
|
||
| : Client extension processing | ||
| :: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports this | ||
| extension, it MUST NOT use a biometric authenticator whose FAR or FRR does not match the bounds as provided. |
There was a problem hiding this comment.
This whole thing seems really brittle. It's more likely to provide a false sense of security than to actually be accurate.
|
I am sorry; I don't understand your exact concern.
Why is https://fidoalliance.org/specs/fido-uaf-v1.2-rd-20171128/fido-metadata-statement-v1.2-rd-20171128.html#dictionary-biometricaccuracydescriptor-members insufficient for this purpose? Do you believe FRR and FAR are not sufficiently defined in this specification, and therefore a new specification is needed?
I don't understand this concern as written. Perhaps you can explain further. Do you believe that FIDO MDS information on biometric accuracy will be inaccurate and/or unverified, for instance? |
index.bs
Outdated
|
|
||
| : Client extension processing | ||
| :: This extension can only be used during {{CredentialsContainer/create()}}. If the client supports this | ||
| extension, it MUST NOT use a biometric authenticator whose FAR or FRR does not match the bounds as provided. |
There was a problem hiding this comment.
so the above text perhaps ought to additionally indicate that various platform-specific means (eg some possibly based on the MDS) are anticipated for the client platform to use in order to have knowledge of these values.
Hi Mike -- it seems to me that you are proposing a process here that the WG has not itself decided upon and is up to the WG to impose rather than individual members. |
How would you feel about this if the specified requirement in the extension, instead of
was something more like this?
|
|
building on @emlun's fine suggestion, we perhaps ought to add a pointer to where one might obtain such metadata (as we have done elsewhere in the spec):
I note in FIDO Metadata Service section 3.3 "BiometricAccuracyDescriptor dictionary" that there is provision for conveying FAR, FRR, ERR, FAAR and other applicable metadata values. |
|
By the way I'd also like to note that in the end it falls on the RP to verify any claimed performance certification by inspecting the attestation statement, and not blindly trust the client to do this verification. It is thus not critical to the integrity of the protocol that the client can derive these properties perfectly or even reliably, but it is of course nice if the extension can enable failing early. |
|
@equalsJeffH @emlun So the extentions are vendor spepcifc that is they can do what they want, so including specifics may not be the correct way to go as that may dictate a specific implementaion |
|
I think what @emlun is teasing-out is a possible impl-cons Note or something similar, that's all. |
|
After the merge conflicts are resolved, I'm now OK with this being merged. |
|
@gmandyam can you fix the branch conflicts and merge |
|
Yes - I am working on it. I am getting a Travis build failure currently and am trying to debug. |
Biometric Selection Criteria extension
Preview | Diff