- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Thu, 10 Feb 2022 01:06:56 +0000
- To: public-webauthn@w3.org
I did some searching before posting this and found #1088 (and #1095 by extension) but these seemed too focused on potential MITM attacks. Maybe I'm supposed to infer that Secure Context + CSP are your primary defenses against entirely fabricated `authData` flags that say UV took place when it never actually did? I'm just having a hard time reconciling advice floating around that both "UV is required for passwordless" and "you probably don't need attestation statements" when it's only attestation statements that guarantee that UV was performed because `authData` is part of the signature in the attestation statement. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1698#issuecomment-1034376352 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 10 February 2022 01:06:58 UTC