Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

Browser Authentication + SSO Issues and Outlook

(Rainer Hörbe)

  • Apple is going to change the policy in Safari regarding the cookies; learning about it; potential problems
  • Safari will use only session cookies
  • Direct impact – domain name such as Safari, future browsers having that name storing the information
  • common domain cookie would be a resolution of the issue; they have to go to the domain where the cookie is used and ask; acting as if it’s happening right now; other browser vendors Discovery case
  • Research has to be made, WebAuth is going to impact all of this

(Discussion with Leif:)

Impact that that might have?

Interact with your main keys

Q: Would the change in Safari will it have consequences? Will it happen?

A: you can’t set global cookies; you can’t have global cookies in an iFrame; any kind of SSO where you are using cookies, redirecting to the IdP; trick ppl to accepting global cookie; not cookies we tend to use for IdP;

Q: They could just reuse it?

A: It’s only once per device; You need to set global cookies from the main window.

A: In many browsers exposed as an alternative setting; So, it has some flow implications that will disable certain optimizations in the UI

Q: Is there a WebAuth dimension to this?

A: No

Start registering tokens as an SP, collect just name and email. This would reduce federation.

WebAuth is a W3 specification ( in the frontend, JavaScript interface to your authentication platform 2-way - really makes the browser frontend into a smartcard pile; every relying party that asks for Auth; elliptical key pad if your platform is a regular browser, you generate an elliptical key; keeps that key as a reference to you Works with YubiKey etc., works with keys encrypted per relying party

Q: How do they know this is the one?

A: You tell it which key handle you want to use


Main difference between WebAuth and FIDO U2F is that WebAuth has a PIN capability. CTAP is a FIDO standard, runs over BTLE and 802.3x; There are various token types; token is an abstract thing; default token or you might do a physical token; based on the level of the token; it’s supposed to be burned in the device distinguish between token A and B; Need to do attestation, but this could be abused for user tracking. I want the user to use my token –> political fighting in the browser community for attestation
Web Auth is designed to target persistent identifier; 2 parties completely unlinkable Chrome - mitigating that stuff with attestation You get a high level of unlinkability, -> Problem with recovery; speculating what a recovery mode might look like Facebook - backchannel signaling; Do people perceive the level of recovery a problem? You’re a relying party - passwords are a liability; data that can get stolen; assurance level that if a relying party you want to stop having passwords; Account recovery is an issue, there is no Lol Account recovery IdP Email recovery via 2 accounts; having a recovery account with multiple tokens; if you keep more tokens at one place like amazon, you can recover your account on another website Both for soft tokens and ubi tokens, you will require more than 2; we want to know how many tokens we have registered You have two, you cannot do account recovery without 2 tokens soft tokens- cannot be seen; soft tokens will be connected with backend a lot of people enable physical tokens Convenience of usability in exchange for loss of privacy Credible path to not being tracked at all - user tracking in…is almost impossible Cannot do that without control over the client - only Chrome can do that today

Q: What technology would I have to add to have the same functionality?

A: ZKPs (Zero Knowledge Proofs) public key handle per user; keep track of public key handles

Q: Does that work in China? A: there are always legitimate worries about supply chains; supply chain security matters.

Good news of WebAuth are that user tracking is difficult if WebAuth is properly implemented; trackable through passwords/email addresses

Q: why would you keep Facebook and Google Sign-up?

A: Possibly left hand not knowing what right one is doing, different motivations in a large house. The problem of phishing and security breaches; most people will use Google Authenticator; most used OTPs are Google’s Authenticator extremely easy to hijack using OTPs today

Adam Langley’s blog post on Zero Knowledge Proofs