- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 07 Dec 2022 09:56:59 +0000
- To: public-webauthn@w3.org
> how about using PBKDF2 with the PRF output as salt in conjunction with the user’s password? I can't give a generic recommendation (nor should the spec, I think) since it'll depend greatly on the application (and since I'm personally not an expert on concerns like this; using a KDF is a pattern I've observed, but I don't know all the nuances around it). But PBKDF2 seems probably fine to me. > Is the proposed WebAuthn L3 PRF-extension<https://w3c.github.io/webauthn/#prf-extension> function intended to be called from a native app at the device? Native app APIs are strictly speaking not governed by the WebAuthn spec, so I'll have to pass that question on to platform vendors such as @akshayku, @christiaanbrand, @alanwaketan. But yes, in a browser that supports the PRF extension you certainly could invoke the extension without involving a remote server. Likewise a client application with access to CTAP2 could implement the same abstractions on top of HMAC-Secret to generate the same outputs as a web version of the app would get from the PRF extension, also without need for a remote server. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1830#issuecomment-1340681982 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 7 December 2022 09:57:01 UTC