[webauthn] No mechanisms in place for enterprise RP's to opt out of auth with a "shared" passkey (#1739)

MasterKale has just created a new issue for https://github.com/w3c/webauthn:

== No mechanisms in place for enterprise RP's to opt out of auth with a "shared" passkey ==
This week at WWDC Apple demonstrated the ability of one iCloud user with a registered passkey to share that passkey with another individual on a separate iCloud account. The implications of this in the enterprise space are dire as it means that RP's like Duo can no longer ensure that a platform authenticator response matching a stored public key corresponds 1:1 to the user we originally associated that credential with.

The current state of the spec lacks much configurability to support enterprise RP use cases. Shareable credentials threaten to make it untenable for RP's to continue to leverage WebAuthn as platform vendors evolve authenticator capabilities more quickly than the API evolves.

We should start collecting additional RP concerns and discussing how WebAuthn might evolve to address enterprise RP concerns now that many of the consumer use cases are being addressed with Apple's, Google's, and Microsoft's upcoming passkey support.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1739 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 9 June 2022 16:53:48 UTC