Re: [webauthn] Being able to access the same public key credentials across different domains (#1827) from Enrico Bottazzi via GitHub on 2022-11-21 (public-webauthn@w3.org from November 2022)

From: Enrico Bottazzi via GitHub <sysbot+gh@w3.org>
Date: Mon, 21 Nov 2022 09:03:33 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1321724583-1669021411-sysbot+gh@w3.org>

I understand the concern and I agree with the security issues here. 

Wouldn't the website-specific challenge created during the login ceremony mitigate this risk? a MITM able to capture the signed message generated by the user during the login on `www.good-website.com` wouldn't be able to reuse it to login inside `www.bad-website.com` as the challenge to be signed is different.

Also, given the state of the art of the standard, do you see any way to achieve a "unified login" user experience while preserving the security of the user? 

-- 
GitHub Notification of comment by enricobottazzi
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1827#issuecomment-1321724583 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 21 November 2022 09:03:39 UTC