W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2020

Re: [webauthn] Add Yubico's proposed recovery extension (#1425)

From: Dain Nilsson via GitHub <sysbot+gh@w3.org>
Date: Wed, 03 Jun 2020 13:16:37 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-638190062-1591190195-sysbot+gh@w3.org>
Anouther point on the usage of "clone" Authenticators: That approach introduces some security issues that we've explicitly attempted to eliminate with this proposal.

If you have a single Authenticator, how can you be sure that there isn't a clone of it somewhere that you don't know about? Maybe it originally came as part of a "2-pack", but one Authenticator was re-packaged individually for you (the other held on to by an adversary). Or, since we envision the Backup Authenticator being stored in a "secure location" and not used day-to-day, how can you discover if someone still manages to steal it? We wanted to make it impossible to covertly use a "spare key" to access your accounts.

This is why we A) make it explicit to the user when a backup credential is registered, and B) disable the "lost" credential when recovery is performed.

-- 
GitHub Notification of comment by dainnilsson
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1425#issuecomment-638190062 using your GitHub account
Received on Wednesday, 3 June 2020 13:16:40 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 3 June 2020 13:16:40 UTC