Re: [webauthn] backup states in authenticator data (#1695) from John Bradley via GitHub on 2022-04-14 (public-webauthn@w3.org from April 2022)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Thu, 14 Apr 2022 20:23:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1099590341-1649967793-sysbot+gh@w3.org>

If there is no attestation or an attestation with uncertified meta-data then the RP has no idea if the credential is multi-device or not.

Current multi-device credentials do not have attestations.

There is no magic that will let a RP know that a a BE=0 credential is not multi-device or the UV=1 is really the result of multifactor authentication without checking the meta-data for the authenticator.

You may be able to assume that an authenticator returning BE=1 is probably true because there is no real reason to lie.

The BE flag helps when you have a certified authenticator with a single AAGUID that may do backup on a credential by credential basis. (none do at this point)

All other authenticators tend to be an all-or-nothing proposition and that can again be determined by looking in the meta-data.

If an RP is not checking meta-data now they probably don't need to in the future. Any credential they get muli or single device should be good enough. If they want to use the flags to determine if it is safe to remove the password because account recovery is taken care of then they can do that with the flags without checking meta-data.

Anyone who wants to restrict authenticators needs to check meta-data. That is true now and will continue to be after multi-device credentials roll out.

Apple platform credentials with an attestation are currently not multi device.
Apple platform credentials with no attestation are probably multi-device.
In future apple can implement the flaga and reintroduce attestations.

I don't think the BE flag in current credentials really needs to change state for the small number of credentials we are talking about.

If Apple wants to reflag them they can as their authenticator is not Fido certified so they can do anything they like. We don't need some special carve out to deal with their beta program. I don't think anyone is going to complain too much if they do something sensable.

The immutable rule really only meaningfully applies to Fido certified authenticators.

--
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1695#issuecomment-1099590341 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 14 April 2022 20:23:16 UTC