Re: [webauthn] Is there a way to store user secret key in the authenticator with/without an extension? (#1818) from Emil Lundberg via GitHub on 2022-10-24 (public-webauthn@w3.org from October 2022)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 24 Oct 2022 15:03:14 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1289175649-1666623792-sysbot+gh@w3.org>

On the WebAuthn layer, the small and large blob extensions are indeed the only way to store a chosen value. As you note you could technically abuse `user.id` for this as well, but that is strongly discouraged because authenticators and client platforms make assumptions about what it's used for and do not treat it as sensitive.

If a random but deterministically derived value is sufficient - for example, to use as key derivation material rather than a finished key - there is the [`prf` extension](https://w3c.github.io/webauthn/#prf-extension), though I don't think there are any client implementations available yet.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1818#issuecomment-1289175649 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 24 October 2022 15:03:16 UTC