W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2020

Re: [webauthn] Add Yubico's proposed recovery extension (#1425)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Wed, 03 Jun 2020 18:18:34 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-638374577-1591208312-sysbot+gh@w3.org>
> If you have a single Authenticator, how can you be sure that there isn't a clone of it somewhere that you don't know about?

Supply-chain issues exist whether or not deliberately cloned sets are a thing, of course. Although you could argue that they are easier if the clones are already manufactured.

But you note a couple of meaningful security advantages of this approach. On the other side is that clones don't require any work on the RP side and are immediately compatible with all current WebAuthn-using sites. Those are weighty advantages. (Although this is probably beside the point here.) 

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1425#issuecomment-638374577 using your GitHub account
Received on Wednesday, 3 June 2020 18:18:36 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 3 June 2020 18:18:37 UTC