W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Spec abstract is out of date on the eve of multi-device credentials and cross-device auth (#1743)

From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
Date: Tue, 21 Jun 2022 21:21:26 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1162380479-1655846485-sysbot+gh@w3.org>
I learned about this recently, and I must admit that the concept of sharing private keys in the "cloud" does not sound like the epitome of security to me. If some day in the future this central credentials storage gets leaked/breached/hacked/eavesdropped/whatever, it would be a disaster. I'm pretty sure there are all kind of security measures in place, but it wouldn't be the first time something like this happens.

Until now, the private key being bound to the device gave me a certain sense of security. Not anymore though with "synced-in-the-cloud-secrets" aka multi-device credentials. It makes the whole reasoning also a bit more difficult.

In this light, I think too it is crucial to update the abstract of this specification to highlight that these "private keys" are not device-bound anymore, but can be synced/shared. The concept is fundamentally altered because of this, with implications for usage, security and privacy.

GitHub Notification of comment by dagnelies
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1743#issuecomment-1162380479 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 21 June 2022 21:21:28 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC