Draft: WebAuthn recovery extension

Hi all,

Here is our current draft of the recovery extension idea I presented at
TPAC today. We don't yet feel comfortable sharing the details of the crypto
in a public document, since we haven't yet had it properly vetted, but
you're welcome to come ask and I can give you an informal outline of our

Extension draft:
Presentation slides:

I noted some comments during the discussion following the presentation:

- Say I have main authnr A, backup authnr B. Let's say B is much less
capable than A. Lose A. Now I buy a new main authenticator C, and want B to
still be a backup for C instead of using C as a backup for B.
  - This is currently doable, but requires recovering with B at every RP,
then registering C at every RP. Would it be possible to "forward" recovery
from B to C, so I only need to "associate" B with C and then recover with C

- Make the `generate` action apply to create() as well. There's no
guarantee that get() will ever be called, but there is a guarantee that
create() has been called at least once.

- Provide transports in `generate` so that CaBLE works for recovery ceremony

I look forward to your additional comments and questions.


Emil Lundberg

Software Developer | Yubico <http://www.yubico.com/>

Received on Monday, 22 October 2018 10:20:27 UTC