W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2019

Re: [webauthn] Add to sec cons a brief discussion of the sec properties accrued by authnr & client platform proximity (#1257)

From: Nick Mooney via GitHub <sysbot+gh@w3.org>
Date: Fri, 12 Jul 2019 20:51:33 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-511029323-1562964692-sysbot+gh@w3.org>
I'm definitely curious to hear if folks feel that proximity _is_ a factor that provides phishing resistance properties. I've heard that reasoning more than once, but I'm not sure I understand the claim.

The architecture @emlun describes above is definitely vulnerable to phishing. I would assume that, in the case of a network-based transport, the WebAuthn client would still be required to do the domain checking that it does with the other transports. In my mind the browser would still act as the client in such a case, rather than push notifications being triggered by the RP.

Concerns about phishing can be mitigated by some sort of channel binding between the browser and the authenticator, or by placing trust in the cloud service that manages the push notifications. Both approaches have their own advantages and drawbacks.

-- 
GitHub Notification of comment by nickmooney
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1257#issuecomment-511029323 using your GitHub account
Received on Friday, 12 July 2019 20:51:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC