Re: [webauthn] <new proposal> Extending WebAuthn Protocol for Remote Authentication (#1580)


I am having a hard time following exactly what you are trying to do.

If the image is captured in an app.  Are you trying to use the Fido attestation to identify that the app is legitimate?
I can see how at least on Android that might work with the saftyNet attestation.   It might not work so well on other platforms.

In the browser, I don't see what it is getting you, other than some sort of integrity that the page has come from some particular origin (more or less) and that a key generated for the origin is signing over some hash generated by the page javaScrypt.

Have you considered doing this with the current specs by inserting the hash as part of the challenge?

Other people have also asked for an extension that could sign over arbitrary data.  That could happen with existing CTAP2 authenticators by putting the data in clientData at the WebAuthn layer.

I still see the major flaw in this for browser applications being that tokenBinding has not been addopted so WebAuthn can't provide a end to end encryption guarentee, only a origin one, and even at that ther are xss and other attacks that could load malicious JS into the browser especilly if the uer is complicit.  

Perhaps the basic attestation is sufficent for your use case and we are trying to close too many holes. 

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 17 March 2021 20:24:36 UTC