Re: [webauthn] Consider allowing RPs to indicate that they want platform authenticators to be synced across devices (#969)

Would it be possible to have some form of derived key that can be synced to trusted devices while still retaining the authority of the original key but doesn't carry its attestation?

e.g. A flow would look something like this:

- User on `DeviceA` enables sync to `DeviceB`, user gives authority
- For each key to sync
  - `DeviceA` creates a derived key and encrypts it using `DeviceB`'s public key
  - Some service transfers the derived key to `DeviceB`
  - `DeviceB` decrypts the derived key and adds it to its list of keys
- Upon user attempting to login from `DeviceB`
  - If attestation is required then prompt for attestation from this new device
  - Else proceed with login silently

-- 
GitHub Notification of comment by Jamesernator
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/969#issuecomment-540903768 using your GitHub account

Received on Friday, 11 October 2019 04:52:03 UTC