W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devciePubKey extension MUST be supported if passkey is supported (#1691)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Jan 2022 01:22:46 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1019628351-1642987365-sysbot+gh@w3.org>
Your points about extensions being optional and easy for browsers or authenticators to ignore (or be incapable of supporting) is a valid one. I don't know what a path forward is now...tell RP's to let passkeys happen and forget about `devicePubKey` since it can't reliably achieve its intended goal of supporting pre-passkey operation before passkeys deploy?

> And at the point someone has access to my google, they have my email and can reset all my account passwords anyway. So what is this really defending from?

I think this highlights a flaw in passkeys: that now there is an avenue to phish users when originally the spec made WebAuthn-based authentication phishing resistant. Is that trade off worth it for an actual account recovery story for the consumer market?

GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1019628351 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 24 January 2022 01:22:48 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC