W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Mon, 27 Jun 2022 22:15:03 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1167972454-1656368101-sysbot+gh@w3.org>

> Apple more or less [enforces 2FA](https://support.apple.com/guide/security/secure-icloud-keychain-recovery-secdeb202947/web) for Keychain access to prevent such an attack on credentials from happening. But there are certainly cases where this threat model is not acceptable, e.g. under certain regulations (in their current form at least).

Apple have now officially confirmed to me, that they are not willing to support attested single device credentials on iOS16 or Ventura going forward, meaning that there is no way to "avoid" passkeys. You either need to attest credentials and reject passkeys and all apple platform authenticators, or you will need to accept passkeys and their risks. 

GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-1167972454 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 June 2022 22:15:05 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC