Re: [webauthn] Spec abstract is out of date on the eve of multi-device credentials and cross-device auth (#1743)

I learned about this recently, and I must admit that the concept of sharing private keys in the "cloud" does not sound like the epitome of security to me. If some day in the future this central credentials storage gets leaked/breached/hacked/eavesdropped/whatever, it would be a disaster. I'm pretty sure there are all kind of security measures in place, but it wouldn't be the first time something like this happens.

Until now, the private key being bound to the device gave me a certain sense of security. Not anymore though with "synced-in-the-cloud-secrets" aka multi-device credentials. It makes the whole reasoning also a bit more difficult.

In this light, I think too it is crucial to update the abstract of this specification to highlight that these "private keys" are not device-bound anymore, but can be synced/shared. The concept is fundamentally altered because of this, with implications for usage, security and privacy.

-- 
GitHub Notification of comment by dagnelies
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1743#issuecomment-1162380479 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 21 June 2022 21:21:28 UTC