Re: [webauthn] <new proposal> Extending WebAuthn Protocol for Remote Authentication (#1580)

> And before someone says "this same problem exists with the use of FIDO authenticators for authenticating users at websites today", keep in mind the problem being solved. WebAuthn and human-consumable PKI that it facilitates is really designed to address the problems of phishing and subsequent credential stuffing attacks, which I think it does reasonably well.

We are ready to tackle the injection attack issues. In the simplest example, someone hooks the webrtc API and then injects the originally defined media data. This is not too difficult on the website. We have many business scenarios where we need to ensure the authenticity of the client data. More specifically, we need to make sure that the source of the data is from the browser or the operating system, and not externally injected data.

-- 
GitHub Notification of comment by thedreamwork
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1580#issuecomment-793390877 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 9 March 2021 04:52:33 UTC