Re: [webauthn] Authenticator flag to indicate internal knowledge of rk (discoverable credential creation). (#1761)

@Firstyear seems to be confusing 2 things in the OP.
1 is the credential harware bound.   That is in the current L3 draft returned as part of the signed authenticator data.
2. is the credential discoverable.  That is returned unsigned by the client.  The question is what attack is there other than the user messing up ther eown UX by tampering with it?     If the platform reports that it is discoverable in credprops and it is not then the credential won't work in flows without an allow list.   If the client lies the other way and says it is not discoverable then perhaps the UX will be worse but it will still work in second factor flows even though it is discoverable.

The downside to putting a flag in authenticator data is that it won't be supported by current authenticators. 

We could come up with another way to do credprops, but someone needs to articulate a good reason why having it unsigned by the authenticator is a security risk.    I just don't see that for the discoverable flag.

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1761#issuecomment-1175549470 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 5 July 2022 22:07:26 UTC