Re: [webauthn] Syncing Platform Keys, Recoverability and Security levels (#1640) from Anders Rundgren via GitHub on 2021-07-13 (public-webauthn@w3.org from July 2021)

From: Anders Rundgren via GitHub <sysbot+gh@w3.org>
Date: Tue, 13 Jul 2021 05:48:49 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-878798406-1626155327-sysbot+gh@w3.org>

@akshayku This is a huge and looming issue for mobile devices.  I didn't quite got what a "synced" credential is.  Do you mean that it would require private key export?  I hope not.  A possible solution is syncing FIDO metadata like user has a key for mybank.com which can be enrolled at https://enroll.mybank.com.   If a new device is to be used, the key will not be found and the user could be asked to use the original device to initiate a secure cloning request.  A "manual" cloning concept is currently used by 5 million Swedes for "bootstrapping" their mobile BankID which are used by bank as well as government services.

In the case the user has lost all keys/devices I have no idea what to do except start over although synced FIDO metadata could (maybe) make the enrollment and KYC somewhat simpler.

-- 
GitHub Notification of comment by cyberphone
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1640#issuecomment-878798406 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 13 July 2021 05:48:51 UTC