Re: [webauthn] devicePubKey extension MUST be supported if passkey is supported (#1691) from Firstyear via GitHub on 2022-01-24 (public-webauthn@w3.org from January 2022)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Jan 2022 23:00:38 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1020634651-1643065236-sysbot+gh@w3.org>

> Access to the platform provider's cloud account does not necessarily grant access to backup credentials. That is an assumption you are making.

Uh huh. Then how does passkey work then? Because if I enroll webauthn on say ... my macbook pro, and then go to my phone and use the same webauthn token, the private key *must* have been transmitted between the two devices. And if I enroll a new ipad to my account, it also gets the private key.

That means the access to my icloud account allows the private key to be retrieved. So the security of that private key hinges on the security of my icloud account. 


-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1020634651 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 24 January 2022 23:00:39 UTC