W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used (#1691)

From: Max Hata via GitHub <sysbot+gh@w3.org>
Date: Tue, 25 Jan 2022 14:54:44 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1021266481-1643122482-sysbot+gh@w3.org>
What RPs need to know on multi-device WebAuthn credentials is:
when invoking get() for authentication, if the assertion is coming back from 1) an already accepted device or 2) an new (unknown) device. RPs consider 2) may be less trusted so that they can run their own risk engine. They will determine if the assertion coming from the new device can be trusted based on their own policy. The RP can bear the full legal responsibility for the decision if any incidents to happen. Such RPs cannot accept multi-device WebAuthn credentials from unknown devices that includes unknown security characteristics of the platform vendor as well as the user's security setting of the platform vendor's account at a time.

This is why dpk should always be provided if multi-device WebAuthn credentials are provided.
They are inseparable companion features to ensure backward compatibility on the security model where the credentials were bound to devices. It is disappointing if WebAuthn cannot mandate such an important issue.




-- 
GitHub Notification of comment by maxhata
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021266481 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 25 January 2022 14:54:45 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:44 UTC