- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Mon, 27 Jun 2022 22:15:03 +0000
- To: public-webauthn@w3.org
> Apple more or less [enforces 2FA](https://support.apple.com/guide/security/secure-icloud-keychain-recovery-secdeb202947/web) for Keychain access to prevent such an attack on credentials from happening. But there are certainly cases where this threat model is not acceptable, e.g. under certain regulations (in their current form at least). Apple have now officially confirmed to me, that they are not willing to support attested single device credentials on iOS16 or Ventura going forward, meaning that there is no way to "avoid" passkeys. You either need to attest credentials and reject passkeys and all apple platform authenticators, or you will need to accept passkeys and their risks. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-1167972454 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 June 2022 22:15:05 UTC