Re: [webauthn] devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used (#1691)

What RPs need to know on multi-device WebAuthn credentials is:
when invoking get() for authentication, if the assertion is coming back from 1) an already accepted device or 2) an new (unknown) device. RPs consider 2) may be less trusted so that they can run their own risk engine. They will determine if the assertion coming from the new device can be trusted based on their own policy. The RP can bear the full legal responsibility for the decision if any incidents to happen. Such RPs cannot accept multi-device WebAuthn credentials from unknown devices that includes unknown security characteristics of the platform vendor as well as the user's security setting of the platform vendor's account at a time.

This is why dpk should always be provided if multi-device WebAuthn credentials are provided.
They are inseparable companion features to ensure backward compatibility on the security model where the credentials were bound to devices. It is disappointing if WebAuthn cannot mandate such an important issue.

GitHub Notification of comment by maxhata
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Tuesday, 25 January 2022 14:54:45 UTC