- From: Fredrik Tolf via GitHub <sysbot+gh@w3.org>
- Date: Mon, 20 Feb 2023 18:12:54 +0000
- To: public-webauthn@w3.org
While I can understand the "temporarily stolen key" scenario, I do wonder how well that is protected against as is. In particular, the availability of conditional mediation requires the use of challenges that are not only very long-lived, but also that can be generated without any prior authentication. It seems to me that if an attacker can gain temporary access to a key, and wishes to use it on a service with conditional mediation, then he can already make the service generate many valid challenges, that are kept current for a long time, and use them at his leisure. Am I missing something about this? If I'm not, does that mean that services will need to choose between conditional mediation and higher security guarantees? -- GitHub Notification of comment by dolda2000 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1856#issuecomment-1437395961 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 20 February 2023 18:12:56 UTC