W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devicePubKey extension MUST be supported if passkey is supported (#1691)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Jan 2022 23:00:38 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1020634651-1643065236-sysbot+gh@w3.org>
> Access to the platform provider's cloud account does not necessarily grant access to backup credentials. That is an assumption you are making.

Uh huh. Then how does passkey work then? Because if I enroll webauthn on say ... my macbook pro, and then go to my phone and use the same webauthn token, the private key *must* have been transmitted between the two devices. And if I enroll a new ipad to my account, it also gets the private key.

That means the access to my icloud account allows the private key to be retrieved. So the security of that private key hinges on the security of my icloud account. 

GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1020634651 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 24 January 2022 23:00:39 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC