Re: [webauthn] Syncing Platform Keys, Recoverability and Security levels (#1640)

Worth noting also that solutions like [Apple's keychain syncing](https://support.apple.com/guide/security/secure-keychain-syncing-sec0a319b35f/1/web/1) (mentioned above by @dwaite and @rmondello) are ultimately password based. So although such solutions can help prevent RPs from requiring users to create _new_ passwords, it doesn't eliminate passwords altogether. 

> When a user enables iCloud Keychain for the first time, the device establishes a circle of trust and creates a syncing identity for itself. The syncing identity consists of a private key and a public key. The public key of the syncing identity is put in the circle, and the circle is signed twice: first by the private key of the syncing identity, then again with an asymmetric elliptical key (using P-256) **derived from the user’s iCloud account password.** 

(emphasis my own)

And further, in some sense it makes the root password (in this case an iCloud password) all the more vulnerable, since the attacker's prize for compromising it is all that much bigger.

-- 
GitHub Notification of comment by certainlyNotHeisenberg
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1640#issuecomment-882759298 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 19 July 2021 18:19:11 UTC