I will repeat what I said at the f2f: we think it’s more important to get *something* out there that folks can start to play with, than waiting until all the (arguably important!) features are there. Attestation is one such feature. Stay tuned. On Mon, Jun 13, 2022 at 19:23 John Bradley <jbradley@yubico.com> wrote: > I think it needs to be considered single factor phishing resistant. > > I don’t know if DPK without attestation is really useful. > > It is defiantly better than a password and probably better than password > plus SMS. > > If the expectations are reasonable they are fine with no DPK. > > John B. > > On Mon, Jun 13, 2022 at 7:19 PM Shane B Weeden <sweeden@au1.ibm.com> > wrote: > >> If there is no attestation on the DPK, then it cannot be considered a >> trusted indicator of a device-bound risk signal and we’re back to WebAuthn >> with passkeys essentially providing only first-factor authentication. >> >> >> >> >> On 14 Jun 2022, at 2:32 am, Adam Langley <agl@google.com> wrote: >> >> This Message Is From an External Sender >> This message came from outside your organization. >> >> On Mon, Jun 13, 2022 at 5:25 PM John Bradley <jbradley@yubico.com> wrote: >> >>> For discoverable credentials on Android will the DPK have a safety net >>> attestation or no attestation until there is a new format? >>> >> >> No attestation, by current plans. >> >> >> Cheers >> >> AGL >> >> >>
Received on Tuesday, 14 June 2022 02:46:38 UTC