- From: Shane B Weeden <sweeden@au1.ibm.com>
- Date: Tue, 14 Jun 2022 03:43:58 +0000
- To: John Bradley <jbradley@yubico.com>
- CC: Christiaan Brand <cbrand@google.com>, Adam Langley <agl@google.com>, David Waite <dwaite@pingidentity.com>, "public-webauthn-adoption@w3.org" <public-webauthn-adoption@w3.org>
- Message-ID: <95D8F574-2BA9-48DD-B9C1-00CC23F1F72E@au1.ibm.com>
Apple had, for a short time, an attested, discoverable, single device credential on the platform authenticator. That has pivoted to something else entirely and there is no way to opt in to the previous capability. I completely accept such a thing has never yet existed for the Google ecosystem, and do look forward to kicking the tyres and providing feedback. The challenge for deployments where account sovereignty must not solely be in the hands of the platform provider is that without attested DPK or similar, one may as well use a persistent cookie or other weak client-side device “fingerprinting” for implementing conditional MFA, or not do conditional MFA at all and just prompt for 2FA every time. On 14 Jun 2022, at 5:16 am, John Bradley <jbradley@yubico.com<mailto:jbradley@yubico.com>> wrote: This Message Is From an External Sender This message came from outside your organization. I think that is fine. The problem is that people got there hopes up using DPK and attestation to create what is effectively a discoverable single device credential on platform authenticators. I think it might have been better to say that we release multi-device passkeys with no attestation or DPK now and then release the extensions in two years when the spec is done and implementations are ready. People seem to be disappointed something they never had is not ready. It would be better to keep it simple at launch. Just my opinion. John B. On Mon, Jun 13, 2022 at 7:46 PM Christiaan Brand <cbrand@google.com<mailto:cbrand@google.com>> wrote: I will repeat what I said at the f2f: we think it’s more important to get *something* out there that folks can start to play with, than waiting until all the (arguably important!) features are there. Attestation is one such feature. Stay tuned. On Mon, Jun 13, 2022 at 19:23 John Bradley <jbradley@yubico.com<mailto:jbradley@yubico.com>> wrote: I think it needs to be considered single factor phishing resistant. I don’t know if DPK without attestation is really useful. It is defiantly better than a password and probably better than password plus SMS. If the expectations are reasonable they are fine with no DPK. John B. On Mon, Jun 13, 2022 at 7:19 PM Shane B Weeden <sweeden@au1.ibm.com<mailto:sweeden@au1.ibm.com>> wrote: If there is no attestation on the DPK, then it cannot be considered a trusted indicator of a device-bound risk signal and we’re back to WebAuthn with passkeys essentially providing only first-factor authentication. On 14 Jun 2022, at 2:32 am, Adam Langley <agl@google.com<mailto:agl@google.com>> wrote: This Message Is From an External Sender This message came from outside your organization. On Mon, Jun 13, 2022 at 5:25 PM John Bradley <jbradley@yubico.com<mailto:jbradley@yubico.com>> wrote: For discoverable credentials on Android will the DPK have a safety net attestation or no attestation until there is a new format? No attestation, by current plans. Cheers AGL
Received on Tuesday, 14 June 2022 03:44:15 UTC