Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

> Passkeys fall under the relax of point 3 that @emlun mentioned as they will be synced via iCloud, right? Not sure if this scenario is covered: if I compromise someone's iCloud account and sign in on a new iOS device, wouldn't my faceID unlock passkeys?

Yes – if you compromise someone's iCloud account, manage to sign in on a device under your control, and set up Face ID on that device.

Apple more or less [enforces 2FA](https://support.apple.com/en-ke/guide/security/sec3e341e75d/web) for Keychain access to prevent such an attack on credentials from happening. But there are certainly cases where this threat model is not acceptable, e.g. under certain regulations (in their current form at least).

-- 
GitHub Notification of comment by FlxMgdnz
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-1167322924 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 27 June 2022 13:00:26 UTC