W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devciePubKey extension MUST be supported if passkey is supported (#1691)

From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Jan 2022 15:29:25 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1020222411-1643038163-sysbot+gh@w3.org>
> > @MasterKale please explain how multi-device WebAuthn credentials now allow a user to be phished. These are dangerous statements to casually make without an explanation.
> @timcappalli this is the phishing scenario I proposed earlier as a potential avenue for impersonating a user via cloud-synced credentials:
> > Consider the following scenario with passkeys:
> > A user with a Google account get phished because they never sets up 2FA on their Google account. The attacker logs into the user's account on an attacker-controlled device and authenticates as the user on the RP's site.
> Is this not a legitimately possible way for an attacker to abuse poor platform vendor account security (I'm not calling out Google specifically, that was just for sake of example) to then gain access to an RP (which would have been fine before with device-bound credentials) that leverages WebAuthn?

I'd argue that this does not change the phishing resistance property of a WebAuthn credential. I think two different concerns are being conflated.

Also, you are making assumptions that only the primary account credential grants access to "synced" credentials. We know for a fact that this is not the case for the platform provider that currently has beta code available.

GitHub Notification of comment by timcappalli
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1020222411 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 24 January 2022 15:29:26 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC