- From: Shane Weeden via GitHub <sysbot+gh@w3.org>
- Date: Mon, 20 Feb 2023 18:37:32 +0000
- To: public-webauthn@w3.org
Conditional WebAuthn does not require long lived challenges. Sent from my iPhone On 20 Feb 2023, at 10:13 pm, Fredrik Tolf ***@***.***> wrote: While I can understand the "temporarily stolen key" scenario, I do wonder how well that is protected against as is. In particular, the availability of conditional mediation requires the use of challenges that are not only very long-lived, but ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd While I can understand the "temporarily stolen key" scenario, I do wonder how well that is protected against as is. In particular, the availability of conditional mediation requires the use of challenges that are not only very long-lived, but also that can be generated without any prior authentication. It seems to me that if an attacker can gain temporary access to a key, and wishes to use it on a service with conditional mediation, then he can already make the service generate many valid challenges, that are kept current for a long time, and use them at his leisure. Am I missing something about this? If I'm not, does that mean that services will need to choose between conditional mediation and higher security guarantees? — Reply to this email directly, view it on GitHub<https://github.com/w3c/webauthn/issues/1856#issuecomment-1437395961>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACDAGXJCXLQK26CL52DZJD3WYOX3PANCNFSM6AAAAAAVB7TV5I>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***> -- GitHub Notification of comment by sbweeden Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1856#issuecomment-1437416337 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 20 February 2023 18:37:34 UTC