Re: [webauthn] Extension's data security on assertion (#1940) from Tim Cappalli via GitHub on 2023-08-09 (public-webauthn@w3.org from August 2023)

From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
Date: Wed, 09 Aug 2023 13:27:29 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1671327210-1691587647-sysbot+gh@w3.org>

> According to [FIDO Bluetooth spec](https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-bt-protocol-v1.2-ps-20170411.html#bluetooth-pairing-client-considerations) section " Bluetooth pairing: Client considerations":
> "Bluetooth pairing is "system-wide", then any application on that device might be able to interact with an Authenticator."

Cross-Device Authentication (hybrid) does not use BLE pairing (and does not use any part of that referenced specification). In general, if a web browser is compromised, all bets are off.

Please use [FIDO-DEV](https://groups.google.com/a/fidoalliance.org/g/fido-dev) or [Passkeys Discussion](https://github.com/passkeydeveloper/discussions/discussions) for questions. This repo is for specification work.

-- 
GitHub Notification of comment by timcappalli
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1940#issuecomment-1671327210 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 9 August 2023 13:27:31 UTC