Re: [webauthn] Platform authentication registration promotion when the user has authenticated with the external authenticator (#1759) from Firstyear via GitHub on 2022-06-30 (public-webauthn@w3.org from June 2022)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Thu, 30 Jun 2022 00:16:23 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1170614406-1656548181-sysbot+gh@w3.org>

> > But, how can we distinguish that the credential is coming from the platform authenticator or from the roaming authenticator
> 
> The `authenticatorAttachment` value in the [resulting object](https://w3c.github.io/webauthn/#iface-pkcredential) will tell you if the device used to generate the assertion was `platform` or `cross-platform`.

This value is un-signed and can't be trusted to be valid or correct. Just the same as the resident key status, it can be freely altered by client side tooling and js. 

@Kieun As an RP the only thing you can trust is signed, attested properties. To determine the attachment you need to look at the CA used in attestation, and then subsequently the device AAGuid to understand what the attachment was during a ceremony. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1759#issuecomment-1170614406 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 30 June 2022 00:16:24 UTC