[knome]

if OpenID stops at embracing webauthn and making it a common login method, allowing people to use their own separate webauthn implementations, that's fantastic. they can make it easy mode for normal users, while letting companies and security conscious individuals use whatever webauthn client they want.

[drdaeman]

Those two are fundamentally/conceptually incompatible, aren't they? Webauthn is about user having ownership of their own identity (as proven by them holding the keypair(s)), while OpenID (and OpenID Connect) is about identity never being owned but always provided by a third party (even if this third party is technically the same person).

[knome]

I'm not sure. I remember looking at OpenId when it was announced, and the rabbit hole I ran down made me think it was built on webauthn in some fashion, as a set of providers or something.

If that's not the case, that is very unfortunate. I veered into reading the webauthn spec for a bit then and found I largely liked what I found there.

Some complexity from trying to define how to handle people lugging around shareable keys on their phones and similar in the spec, but overall I liked it. I found it all very reasonable.

[a1445c8b]

It’s not built on WebAuthn but it could work with it. WebAuthn is essentially just an alternative to typing in your password.

[knome]

>WebAuthn is essentially just an alternative to typing in your password.

I had thought it was the key confirmation used by openid and that openid was more of an industry keying system backend and push for webauthn on websites. Apparently I need to reread it.

webauthn removes all secret information on the company side, making company password database breaches a thing of the past. "Oh no, you stole a public key specific to this website that you can't even use to log into the site you stole it from because you need the private key to do that"