[webauthn] Use aPAKE/QPAQUE for FIDO multi-device credentials (PassKey) (#1747) from Sebastian Elfors (IDnow) via GitHub on 2022-06-15 (public-webauthn@w3.org from June 2022)

From: Sebastian Elfors (IDnow) via GitHub <sysbot+gh@w3.org>
Date: Wed, 15 Jun 2022 08:25:29 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1271862537-1655281527-sysbot+gh@w3.org>

Sebastian-Elfors-IDnow has just created a new issue for https://github.com/w3c/webauthn:

== Use aPAKE/QPAQUE for FIDO multi-device credentials (PassKey) ==
The [OPAQUE Asymmetric PAKE Protocol](https://cfrg.github.io/draft-irtf-cfrg-opaque/draft-irtf-cfrg-opaque.html) has recently been published by the IETF Network Working Group.

In particular, the section "[Client Credential Storage and Recovery](https://cfrg.github.io/draft-irtf-cfrg-opaque/draft-irtf-cfrg-opaque.html#name-client-credential-storage-a)" is interesting, because that part specifies how a client can encrypt its private key in an envelope and store it on the server together with the server's public key. The user uses a PIN-code to encrypt the envelope that is then stored at the server. The client can thus download its envelope and decrypt it with a PIN-code. The recovered private key can then be stored in the mobile's TPM/TEE. Furthermore, the client can use the server's public key to authenticate to the server and to create a session key.

This could perhaps be a standardized option for roaming of FIDO multi-device credentials (PassKey)? Perhaps it can be mentioned as an implementation example (or similar) in the WebAuthn standard?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1747 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 15 June 2022 08:25:31 UTC