W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Platform authentication registration promotion when the user has authenticated with the external authenticator (#1759)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Thu, 30 Jun 2022 00:16:23 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1170614406-1656548181-sysbot+gh@w3.org>
> > But, how can we distinguish that the credential is coming from the platform authenticator or from the roaming authenticator
> The `authenticatorAttachment` value in the [resulting object](https://w3c.github.io/webauthn/#iface-pkcredential) will tell you if the device used to generate the assertion was `platform` or `cross-platform`.

This value is un-signed and can't be trusted to be valid or correct. Just the same as the resident key status, it can be freely altered by client side tooling and js. 

@Kieun As an RP the only thing you can trust is signed, attested properties. To determine the attachment you need to look at the CA used in attestation, and then subsequently the device AAGuid to understand what the attachment was during a ceremony. 

GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1759#issuecomment-1170614406 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 30 June 2022 00:16:24 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC