Re: [webauthn] Authenticator flag to indicate internal knowledge of rk (discoverable credential creation). (#1761) from Firstyear via GitHub on 2022-07-20 (public-webauthn@w3.org from July 2022)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Wed, 20 Jul 2022 04:05:00 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1189802792-1658289899-sysbot+gh@w3.org>

To expand on this to make it a bit clearer. Apple's Passkeys will *not* register if you request attestation conveyance direct/indirect. As a result, when people go to use Passkeys, you can't request any kind of attestation at all, meaning you have no indication about the type of device used as a passkey.

Now, passkeys when you combine with conditional ui allow a discoverable workflow. As an RP we need to know if the credential that was registered can work with a discoverable workflow.

Now, we can use credProps, but that only reflects if the *browser* thinks it requested a resident key. As a result, when we use this with a TPM or an Apple Passkey it's likely to indicate 'false' for resident key status (pretty sure Safari has not supported credProps for ages anyway ...).

We also can't set require_resident_key in the creation request, because then users of things like yubikeys will quickly hit the storage limits of their devices. Nitrokeys have a limit of 8 rk slots I think, modern yubikeys have about 20 or so, but looking at my password manager I have more than 120 passwords saved, so this won't scale.

So we need a way to know "when did the authenticator give us a resident key, without the RP or Browser asking for it, or having knowledge that an RK was created". CredProps doesn't work here because the browser might not know what the authenticator did. We can't use attestation because Apple's Passkeys completely block attestation from being requested at all. So there really isn't a "reliable signal" today of discoverable status, so having the authenticator internally indicate this in the future could really help.

--
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1761#issuecomment-1189802792 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 20 July 2022 04:05:02 UTC