W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used (#1691)

From: Arshad Noor via GitHub <sysbot+gh@w3.org>
Date: Wed, 26 Jan 2022 03:54:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1021837168-1643169254-sysbot+gh@w3.org>
Seriously, folks??

It would seem to me, that when dozens to hundreds of FIDO manufacturers have invested years into implementing FIDO solutions with certain security notions, as a courtesy to all that effort and investments - and to instill the principle of "**secure by default**" - the DEFAULT for a FIDO credential should ALWAYS be a hardware-bound key-pair, with NO possibility of ever extracting, copying, cloning, moving, synchronizing or backing up that key-pair to anything, anywhere. If new entrants to the market desire convenience and are willing to sacrifice security for that illusory benefit, **then** those people/companies should bear the burden of new extension request and response processing, and dealing with the ensuing complexity. Why should the people/companies who have invested more than 7 years into building "secure by default" FIDO solutions have to perform ANY additional work _just to maintain_ what they always believed the FIDO value-proposition would be?

-- 
GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021837168 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 26 January 2022 03:54:17 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC