Re: Details on Google's implementation of passkeys from Shane B Weeden on 2022-06-14 (public-webauthn-adoption@w3.org from June 2022)

From: Shane B Weeden <sweeden@au1.ibm.com>
Date: Tue, 14 Jun 2022 02:18:52 +0000
To: Adam Langley <agl@google.com>
CC: John Bradley <jbradley@yubico.com>, David Waite <dwaite@pingidentity.com>, "public-webauthn-adoption@w3.org" <public-webauthn-adoption@w3.org>
Message-ID: <B7B6E494-ED48-46FE-9CDB-6019FA0BDAD7@au1.ibm.com>

If there is no attestation on the DPK, then it cannot be considered a trusted indicator of a device-bound risk signal and we’re back to WebAuthn with passkeys essentially providing only first-factor authentication.




On 14 Jun 2022, at 2:32 am, Adam Langley <agl@google.com<mailto:agl@google.com>> wrote:

This Message Is From an External Sender
This message came from outside your organization.
On Mon, Jun 13, 2022 at 5:25 PM John Bradley <jbradley@yubico.com<mailto:jbradley@yubico.com>> wrote:
For discoverable credentials on Android will the DPK have a safety net attestation or no attestation until there is a new format?

No attestation, by current plans.


Cheers

AGL

Received on Tuesday, 14 June 2022 02:19:09 UTC