- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Thu, 10 Feb 2022 01:13:47 +0000
- To: public-webauthn@w3.org
IMO the "unwritten" attitude in the webauthn community is that if you request "attest:none" then you only are asking for a single-factor being a public-key. Everything else is "off the cards" and you need to combine this with other factors to create an MFA setup. If you want to "trust" UV, you need to do attestation checks and validate the supplier etc. This is because you are now putting your sole-trust into one device as a self-contained multi-factor authenticator (per nist sp800-63b) and so you should validate the authenticity of that device if it is to be used in this manner. This largely is a case of "webauthn as a spec is a kitchen sink" of trying to fit multiple workflows into a single standard, without it being written what the "ways are" to hold it correctly. But to muddy this water, you then get devices like CTAP2.0 that will always give UV=true on discouraged during .create() but never during .get() which is super confusing to both the RP and the User. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1698#issuecomment-1034380818 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 10 February 2022 01:13:49 UTC