[webauthn] Is there a way to store user secret key in the authenticator with/without an extension? (#1818) from Nikita Kuznetsov via GitHub on 2022-10-22 (public-webauthn@w3.org from October 2022)

From: Nikita Kuznetsov via GitHub <sysbot+gh@w3.org>
Date: Sat, 22 Oct 2022 12:53:18 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1419279497-1666443196-sysbot+gh@w3.org>

KuznetsovNikita has just created a new issue for https://github.com/w3c/webauthn:

== Is there a way to store user secret key in the authenticator with/without an extension? ==
The webAuthn will be very useful if developers could have an option to store and get user secret key, from my perspective.

As I understand the developers have a few options:

1) [`user.id` aka `userHandle`](https://w3c.github.io/webauthn/#user-handle) with is supported for most of the authenticator.

2) The ["small blob" extension](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-credBlob-extension) with is not supported well in nowadays.

3) The ["large blob" extension](https://www.w3.org/TR/webauthn-2/#sctn-large-blob-extension) with is an experimental feature in nowadays. 


As I understand the value for `user.id` aka `userHandle` is stored in the authenticator, but means non sensitive data and used for technical reason.  

Why I should not store user secret in the `user.id` aka `userHandle`? 
Is it possible some how hack and get this value from authenticator? 
Is the hack required physical contact with authenticator or could it be done programmatically? 

Thank you in advance!

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1818 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 22 October 2022 12:53:20 UTC