- From: Adam Langley <agl@google.com>
- Date: Thu, 11 Jul 2024 16:22:57 -0700
- To: public-webauthn-adoption@w3.org
- Message-ID: <CAL9PXLyoRHL+xVdB+DEOiyYs4MCJ8z_LUhdv=KVLJ2e9MhAxMA@mail.gmail.com>
Dear all, Setting chrome://flags/#web-authentication-enclave-authenticator to "Enabled with GPM PIN enabled" in Chrome Canary will now allow one to test syncing of GPM passkeys on Windows and macOS. The passkey secrets themselves aren't synced directly. Rather a Google production service is used as a key-wrapping service so that it's not possible to directly exfiltrate passkey secrets from a desktop device. Signing with a hardware-backed key on the client is required to access this service and so Windows devices must have a TPM to use GPM passkeys. The service only holds user secrets transiently in memory and runs under SEV-SNP <https://www.amd.com/en/developer/sev.html> using Oak <https://github.com/project-oak/oak/blob/main/README.md>. While not available yet, the source and a reproducible build will be published. Chrome will later gain the ability to check the attestation from AMD and record the code hashes observed, which will match up with the reproducible build. There is not yet support for using GPM passkeys on iOS and so Chrome on macOS will only default to creating credentials in GPM if there is evidence that the user would be well served by this vs using iCloud Keychain. Such evidence includes: having passkeys in GPM already, syncing to a non-Apple device, or having denied Chrome iCloud Keychain permission in the past. If reporting a bug, please include the contents of chrome://device-log. Cheers AGL
Received on Thursday, 11 July 2024 23:23:18 UTC