You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The explainer mentions the use of the OpenScreen Protocol (OSP). OSP uses a pre-shared key (PSK) to authenticate two peers connecting. This is quite common in casting-type scenario's. However, it seems worth exploring potential alternatives in a browser scenario.
Underlying protocol
Some protocols (like Wifi-direct) may already provide sufficient authentication. In this case it would be best to leverage those and not layer another method on top.
Signaling
It seems feasible to use an existing connection (e.g. cloud based) to fully automate authentication. Thereby, significantly improving user experience. Note that user consent would still be required to request / accept a connection, only the authentication step is automated. Unlike in WebRTC, we don't need to pass any connection information. Just passing an opaque token (just like PSK) with sufficient entropy should suffice. While signaling and PSK authentication may use the same authentication protocol under the hood, mixing both strategies at the same time should not be allowed.
Passkeys / WebAuthn
Passkeys allow to be synced across devices. Two devices holding the same key material could use it for authentication. This would not require any user input (except consent to request / accept a connection, that remains required).
This is not meant to be an exclusive list. There may be other options. An negotiation step may be required to pick between multiple authentication methods (E.g. rate methods by user friendliness and use the best mutually available option).
The text was updated successfully, but these errors were encountered:
The explainer mentions the use of the OpenScreen Protocol (OSP). OSP uses a pre-shared key (PSK) to authenticate two peers connecting. This is quite common in casting-type scenario's. However, it seems worth exploring potential alternatives in a browser scenario.
Underlying protocol
Some protocols (like Wifi-direct) may already provide sufficient authentication. In this case it would be best to leverage those and not layer another method on top.
Signaling
It seems feasible to use an existing connection (e.g. cloud based) to fully automate authentication. Thereby, significantly improving user experience. Note that user consent would still be required to request / accept a connection, only the authentication step is automated. Unlike in WebRTC, we don't need to pass any connection information. Just passing an opaque token (just like PSK) with sufficient entropy should suffice. While signaling and PSK authentication may use the same authentication protocol under the hood, mixing both strategies at the same time should not be allowed.
Passkeys / WebAuthn
Passkeys allow to be synced across devices. Two devices holding the same key material could use it for authentication. This would not require any user input (except consent to request / accept a connection, that remains required).
This is not meant to be an exclusive list. There may be other options. An negotiation step may be required to pick between multiple authentication methods (E.g. rate methods by user friendliness and use the best mutually available option).
The text was updated successfully, but these errors were encountered: