
Usability and Key Management (2009) [pdf] - tosh
https://csrc.nist.gov/CSRC/media/Presentations/Usability-and-Key-Management/images-media/Usability_and_Key_Mgmt.pdf
======
pat2man
As WebAuthn has been evolving we have been able to see four vendors try to
users to use keys for authentication. Google and Mozilla went ahead and used
the existing USB FIDO keys which was relatively easy to support, and shipped
solutions first. Then Microsoft integrated their existing Hello authentication
system which took more time but is probably more user friendly (and is not
available on all Windows systems). Finally Apple is dragging their feet, but
are spending more time making things work across all their devices using the
biometric systems that users already know.

Certificate based authentication never worked in the browser because it was
too complicated for most users to understand. This time around, if WebAuthn
can be used by a majority of users we may actually see some progress. On the
other hand, if the browser implementations still feel too complicated then
users will try to avoid it and we will be back at square one.

~~~
tialaramex
> Finally Apple is dragging their feet

Do you know something I don't here? My impression was that Apple hopes to just
ignore WebAuthn completely, since it suits Apple to have a proprietary Apple-
only system that requires everybody to buy lots of Apple branded gear if they
want any security. Only if WebAuthn is overwhelmingly successful would they be
forced to actually do anything.

As well as the complexity, Certificate auth has a privacy problem. If I have
one cert for "Nick Lamb" do I want to use that for PornHub, my Hacker News
comments _and_ for my bank account ? If I need separate certificates for each
service it's quickly unmanageable, on the other hand if I don't do that I'm
tracked everywhere seamlessly. FIDO / U2F / WebAuthn fixes all this in a way
better cert UI could not.

~~~
gsnedders
[https://bugs.webkit.org/show_bug.cgi?id=181943](https://bugs.webkit.org/show_bug.cgi?id=181943)
is the WebKit metabug, and the various parts of it have started to be worked
on by an Apple engineer, which is a good sign they aren't ignoring it.

~~~
tialaramex
Thanks for that link - very informative.

------
kryogen1c
[2009]

~~~
dang
Added. Thanks!

