Re: [webauthn] Consider allowing RPs to indicate that they want platform authenticators to be synced across devices

The ability of an authenticator to export keys (e.g. to an different authenticator instance of either (1) the same model or (2) different model with at least the same authenticator security level or (3) a different model with any authenticator security level) has major impact on the ability of the relying party to understand how good the keys are protected and how the user is verified.  Meaning in scenario (3) the user could potentially "migrate" keys from a TEE based authenticator using fingerprint user verification to a Rich-OS based authenticator with user presence check only.  While the former would be considered strong enough for providing strong customer authentication according to PSD2, the latter wouldn't (and hence would need another factor).
Under scenario (3) it might also be possible to get access to the private key material in the clear which could open up other attack vectors (e.g. asking the user to enter the private key into a malicious app that is asking for the backup claiming the original was lost).

Scenario (1) is typically supported by HSMs these days.  It typically requires some cryptographic effort and sometimes even an admin type role to ensure that only this type of key migration works.

-- 
GitHub Notification of comment by rlin1
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/969#issuecomment-400939998 using your GitHub account

Received on Thursday, 28 June 2018 07:30:50 UTC