W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

Re: [webauthn] Portability of private keys

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Apr 2018 12:31:02 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-380434642-1523449860-sysbot+gh@w3.org>
Yes, this is outside the scope of the WebAuthn spec.

The position Yubico has taken for our Security Key and YubiKey authenticators is that private keys can never leave the authenticator. One reason for this is the issue of attestation: the [attestation statement][att-stmt] sent in a registration request attests that the private key is created and owned by the authenticator, and has never been exposed to any other party. If it were possible to import a private key from outside the authenticator, we would not be able to attest this.

The backup strategy we recommend instead is to have a second authenticator as a backup, and register both that and your primary authenticator with each site. Then if you lose the primary authenticator, you can fall back to the backup authenticator while you set up a new primary authenticator.

[att-stmt]: https://www.w3.org/TR/webauthn/#attestation-statement

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/865#issuecomment-380434642 using your GitHub account
Received on Wednesday, 11 April 2018 12:31:04 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC