Difference between revisions of "Credential Management"
From MgmtWiki
(→Full Title) |
(→Problems Addressed) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Full Title== | ==Full Title== | ||
| − | This page is about the W3C CredentialManagement API which is often abbreviated as CredMan.. | + | * This page is about the W3C CredentialManagement API which is often abbreviated as CredMan.. |
| + | * This also is support by [[Web Authentication]] and [[WebAuthn 2]]. | ||
==Context== | ==Context== | ||
* For general information about recovery or other topics see the web page [[Credential]]. | * For general information about recovery or other topics see the web page [[Credential]]. | ||
| + | ==Problems Addressed== | ||
| + | * Protection against phishing: An attacker who creates a fake login website can't login as the user because the signature changes with the origin of the website. | ||
| + | *Reduced impact of data breaches: Developers don't need to hash the public key, and if an attacker gets access to the public key used to verify the authentication, it can't authenticate because it needs the private key. | ||
| + | * Invulnerable to password attacks: Some users might reuse passwords, and an attacker may obtain the user's password for another website (e.g. via a data breach). Also, text passwords are much easier to brute-force than a [[Digital Signature]]. | ||
==Solutions== | ==Solutions== | ||
| − | For current bug list on blink see [https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECredentialManagement this site]. | + | * For current bug list on blink see [https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECredentialManagement this site]. |
| + | * [https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-browser-credentials-federated-id.html Using Web Federated Identity to Authenticate Users] Amazon WS | ||
| + | * [https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API Web Authentication API] from Mozilla | ||
| + | * [https://developers.google.com/web/updates/2020/10/webauthn-tab Web AuthN debug tab] from Google | ||
| + | * [https://condatis.com/news/blog/trust-in-self-sovereign-identity-ssi/ Trust in self-sovereign-ID] Condatus - SIOP and MS Authenticator | ||
| + | * [https://didproject.azurewebsites.net/docs/overview.html Verifiable Credentials Preview by Azure AD] from Microsoft | ||
==References== | ==References== | ||
[[Category:Standard]] | [[Category:Standard]] | ||
Revision as of 12:30, 24 May 2021
Full Title
- This page is about the W3C CredentialManagement API which is often abbreviated as CredMan..
- This also is support by Web Authentication and WebAuthn 2.
Context
- For general information about recovery or other topics see the web page Credential.
Problems Addressed
- Protection against phishing: An attacker who creates a fake login website can't login as the user because the signature changes with the origin of the website.
- Reduced impact of data breaches: Developers don't need to hash the public key, and if an attacker gets access to the public key used to verify the authentication, it can't authenticate because it needs the private key.
- Invulnerable to password attacks: Some users might reuse passwords, and an attacker may obtain the user's password for another website (e.g. via a data breach). Also, text passwords are much easier to brute-force than a Digital Signature.
Solutions
- For current bug list on blink see this site.
- Using Web Federated Identity to Authenticate Users Amazon WS
- Web Authentication API from Mozilla
- Web AuthN debug tab from Google
- Trust in self-sovereign-ID Condatus - SIOP and MS Authenticator
- Verifiable Credentials Preview by Azure AD from Microsoft
