Re: [webauthn] Adding some sentences to describe credential sharing between multiple users (#1921) from Emil Lundberg via GitHub on 2023-08-07 (public-webauthn@w3.org from August 2023)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 07 Aug 2023 13:55:32 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1667906419-1691416530-sysbot+gh@w3.org>
Hm. I would agree that passkey sharing (not to be confused with multi-device credentials) goes against some of the assertions we make throughout the spec. See for example the definition of [**Bound credential**](https://w3c.github.io/webauthn/#bound-credential):

>[**Bound credential**](https://w3c.github.io/webauthn/#bound-credential)
>**"Authenticator [contains](https://w3c.github.io/webauthn/#contains) a credential"**
>**"Credential [created on](https://w3c.github.io/webauthn/#created-on) an authenticator"**
>
>A [public key credential source](https://w3c.github.io/webauthn/#public-key-credential-source) or [public key credential](https://w3c.github.io/webauthn/#public-key-credential) is said to be [bound](https://w3c.github.io/webauthn/#bound-credential) to its [managing authenticator](https://w3c.github.io/webauthn/#public-key-credential-source-managing-authenticator). This means that only the [managing authenticator](https://w3c.github.io/webauthn/#public-key-credential-source-managing-authenticator) can generate [assertions](https://w3c.github.io/webauthn/#assertion) for the [public key credential sources](https://w3c.github.io/webauthn/#public-key-credential-source) [bound](https://w3c.github.io/webauthn/#bound-credential) to it.
>
>This may also be expressed as "the [managing authenticator](https://w3c.github.io/webauthn/#public-key-credential-source-managing-authenticator) ***contains*** the [bound credential](https://w3c.github.io/webauthn/#bound-credential)", or "the [bound credential](https://w3c.github.io/webauthn/#bound-credential) was ***created on*** its [managing authenticator](https://w3c.github.io/webauthn/#public-key-credential-source-managing-authenticator)". Note, however, that a [server-side credential](https://w3c.github.io/webauthn/#server-side-credential) might not be physically stored in persistent memory inside the authenticator, hence "[bound to](https://w3c.github.io/webauthn/#bound-credential)" is the primary term. See [§ 6.2.2 Credential Storage Modality](https://w3c.github.io/webauthn/#sctn-credential-storage-modality).

Also the definition of [**Credential Key Pair**](https://w3c.github.io/webauthn/#credential-key-pair):

>**Credential Key Pair**
>**Credential Private Key**
>**Credential Public Key**
>**User Public Key**
>**User Credential**
>[...]
>A [credential private key](https://w3c.github.io/webauthn/#credential-private-key) is the private key portion of a [credential key pair](https://w3c.github.io/webauthn/#credential-key-pair). The [credential private key](https://w3c.github.io/webauthn/#credential-private-key) is bound to a particular [authenticator](https://w3c.github.io/webauthn/#authenticator) - its [managing authenticator](https://w3c.github.io/webauthn/#public-key-credential-source-managing-authenticator) - and is expected to never be exposed to any other party, not even to the owner of the [authenticator](https://w3c.github.io/webauthn/#authenticator).
>[...]

I would say one could argue that a multi-device credential synced between several of one user's devices still satisfies these if all are tied to one single cloud account. I don't think you could make that argument for credentials freely shared between different people's cloud accounts, though.

There's also the security consideration [§13.4.6. Credential Loss and Key Mobility](https://w3c.github.io/webauthn/#sctn-credential-loss-key-mobility) which, even ignoring credential sharing, is just inaccurate since the introduction of the backup state flags:

>This specification defines no protocol for backing up [credential private keys](https://w3c.github.io/webauthn/#credential-private-key), or for sharing them between [authenticators](https://w3c.github.io/webauthn/#authenticator). In general, it is expected that a [credential private key](https://w3c.github.io/webauthn/#credential-private-key) never leaves the [authenticator](https://w3c.github.io/webauthn/#authenticator) that created it. Losing an [authenticator](https://w3c.github.io/webauthn/#authenticator) therefore, in general, means losing all [credentials](https://w3c.github.io/webauthn/#public-key-credential) [bound](https://w3c.github.io/webauthn/#bound-credential) to the lost [authenticator](https://w3c.github.io/webauthn/#authenticator), which could lock the user out of an account if the user has only one [credential](https://w3c.github.io/webauthn/#public-key-credential) registered with the [Relying Party](https://w3c.github.io/webauthn/#relying-party). Instead of backing up or sharing private keys, the Web Authentication API allows registering multiple [credentials](https://w3c.github.io/webauthn/#public-key-credential) for the same user. For example, a user might register [platform credentials](https://w3c.github.io/webauthn/#platform-credential) on frequently used [client devices](https://w3c.github.io/webauthn/#client-device), and one or more [roaming credentials](https://w3c.github.io/webauthn/#roaming-credential) for use as backup and with new or rarely used [client devices](https://w3c.github.io/webauthn/#client-device).
>
>[Relying Parties](https://w3c.github.io/webauthn/#relying-party) SHOULD allow and encourage users to register multiple [credentials](https://w3c.github.io/webauthn/#public-key-credential) to the same [user account](https://w3c.github.io/webauthn/#user-account). [Relying Parties](https://w3c.github.io/webauthn/#relying-party) SHOULD make use of the [excludeCredentials](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-excludecredentials) and [user](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-user).[id](https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-id) options to ensure that these different [credentials](https://w3c.github.io/webauthn/#public-key-credential) are [bound](https://w3c.github.io/webauthn/#bound-credential) to different [authenticators](https://w3c.github.io/webauthn/#authenticator).

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1921#issuecomment-1667906419 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 7 August 2023 13:55:34 UTC