W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

Re: [webauthn] Portability of private keys

From: HuangYuSan via GitHub <sysbot+gh@w3.org>
Date: Wed, 11 Apr 2018 15:12:13 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-380488293-1523459531-sysbot+gh@w3.org>
I agree that the private keys can't ever leave the authenticator. But just having two of them is not a viable solution either: To be able to sign up for a new service e.g. from my office, I either have to take both of them with me. Then if I lose my briefcase, both are gone, so the point of a backup which is redundancy, is lost. Or I could remember to set up a second key on my backup authenticator at home. I might easily forget, and only notice when it's too late.

I think what we should have is a standardised duplication protocol, so that a duplicate of one key can be registered for another authenticator without me having to click through things in the browser. So at any time, I can plug in my USB backup authenticator and it syncs with my phone or laptop by registering a duplicate of every new credential (after confirmation on the primary authenticator). That has some privacy implications (the RP knows when I'm syncing my backup), but we can't avoid that anyway other than by either not creating a backup at all or releasing data from the authenticator.

GitHub Notification of comment by HuangYuSan
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/865#issuecomment-380488293 using your GitHub account
Received on Wednesday, 11 April 2018 15:12:15 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC