W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devicePubKey extension MUST be supported if passkey is supported (#1691)

From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Jan 2022 22:57:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1020632731-1643065036-sysbot+gh@w3.org>
> Look at the DPK proposal, the whole point is to just signal that something might be a passkey, but's it's not definitive, there is no way to make it definitive, because all a passkey implementor has to do to lie, is just omit DPK or whatever flags are decided on.

@Firstyear not really correct. The DPK is simply a second, hardware-bound key and can be used if the credential is a multi-device WebAuthn credential or a single-device WebAuthn credential. It does not specifically signal whether multi-device or single-device WebAuthn credentials are being used.

> @timcappalli If the passkey is synced with a cloud provider, then access to the cloud account allows downloading and retrieval of the passkey. So if the cloud provider account is phished, then the passkey can be retrieved. Thus the phish occurs on the cloud account, not between webauthn and the RP. It's phishing to credential theft.

Access to the platform provider's cloud account does not necessarily grant access to backup credentials. That is an assumption you are making. 

GitHub Notification of comment by timcappalli
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1020632731 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 24 January 2022 22:57:19 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC