Re: [webauthn] Add Yubico's proposed recovery extension (#1425)

> If you have a single Authenticator, how can you be sure that there isn't a clone of it somewhere that you don't know about?

Supply-chain issues exist whether or not deliberately cloned sets are a thing, of course. Although you could argue that they are easier if the clones are already manufactured.

But you note a couple of meaningful security advantages of this approach. On the other side is that clones don't require any work on the RP side and are immediately compatible with all current WebAuthn-using sites. Those are weighty advantages. (Although this is probably beside the point here.) 

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1425#issuecomment-638374577 using your GitHub account

Received on Wednesday, 3 June 2020 18:18:36 UTC