Re: [webauthn] devciePubKey extension MUST be supported if passkey is supported (#1691)

> @MasterKale please explain how multi-device WebAuthn credentials now allow a user to be phished. These are dangerous statements to casually make without an explanation.

@timcappalli this is the phishing scenario I proposed earlier as a potential avenue for impersonating a user via cloud-synced credentials: 

> Consider the following scenario with passkeys:
> A user with a Google account get phished because they never sets up 2FA on their Google account. The attacker logs into the user's account on an attacker-controlled device and authenticates as the user on the RP's site.

Is this not a legitimately possible way for an attacker to abuse poor platform vendor account security (I'm not calling out Google specifically, that was just for sake of example) to then gain access to an RP that leverages WebAuthn?

GitHub Notification of comment by MasterKale
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Monday, 24 January 2022 15:15:05 UTC