W3C home > Mailing lists > Public > public-webauthn@w3.org > March 2021

Re: [webauthn] <new proposal> Extending WebAuthn Protocol for Remote Authentication (#1580)

From: The via GitHub <sysbot+gh@w3.org>
Date: Tue, 09 Mar 2021 04:52:31 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-793390877-1615265550-sysbot+gh@w3.org>
> And before someone says "this same problem exists with the use of FIDO authenticators for authenticating users at websites today", keep in mind the problem being solved. WebAuthn and human-consumable PKI that it facilitates is really designed to address the problems of phishing and subsequent credential stuffing attacks, which I think it does reasonably well.

We are ready to tackle the injection attack issues. In the simplest example, someone hooks the webrtc API and then injects the originally defined media data. This is not too difficult on the website. We have many business scenarios where we need to ensure the authenticity of the client data. More specifically, we need to make sure that the source of the data is from the browser or the operating system, and not externally injected data.

-- 
GitHub Notification of comment by thedreamwork
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1580#issuecomment-793390877 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 9 March 2021 04:52:33 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC