Re: Details on Google's implementation of passkeys from John Bradley on 2022-06-14 (public-webauthn-adoption@w3.org from June 2022)

From: John Bradley <jbradley@yubico.com>
Date: Mon, 13 Jun 2022 19:23:00 -0700
To: Shane B Weeden <sweeden@au1.ibm.com>
Cc: Adam Langley <agl@google.com>, David Waite <dwaite@pingidentity.com>, "public-webauthn-adoption@w3.org" <public-webauthn-adoption@w3.org>
Message-ID: <CAEY7Pj-euHxqnTfBZ8erVEgJi=UraZeTAaK05eLDQ4raL3eTDg@mail.gmail.com>

I think it needs to be considered single factor phishing resistant.

I don’t know if DPK without attestation is really useful.

It is defiantly better than a password and probably better than password
plus SMS.

If the expectations are reasonable they are fine with no DPK.

John B.

On Mon, Jun 13, 2022 at 7:19 PM Shane B Weeden <sweeden@au1.ibm.com> wrote:

> If there is no attestation on the DPK, then it cannot be considered a
> trusted indicator of a device-bound risk signal and we’re back to WebAuthn
> with passkeys essentially providing only first-factor authentication.
>
>
>
>
> On 14 Jun 2022, at 2:32 am, Adam Langley <agl@google.com> wrote:
>
> This Message Is From an External Sender
> This message came from outside your organization.
>
> On Mon, Jun 13, 2022 at 5:25 PM John Bradley <jbradley@yubico.com> wrote:
>
>> For discoverable credentials on Android will the DPK have a safety net
>> attestation or no attestation until there is a new format?
>>
>
> No attestation, by current plans.
>
>
> Cheers
>
> AGL
>
>
>

Received on Tuesday, 14 June 2022 02:23:24 UTC