- From: vonDubenshire via GitHub <sysbot+gh@w3.org>
- Date: Thu, 02 Mar 2023 21:30:24 +0000
- To: public-webauthn@w3.org
Lot of documentation here will calm you. > Until now, the private key being bound to the device gave me a certain sense of security. Not anymore though with "synced-in-the-cloud-secrets" aka multi-device credentials. It makes the whole reasoning also a bit more difficult. > > In this light, I think too it is crucial to update the abstract of this specification to highlight that these "private keys" are not device-bound anymore, but can be synced/shared. The concept is fundamentally altered because of this, with implications for usage, security and privacy. "Passkeys in the Google Password Manager On Android, the Google Password Manager provides backup and sync of passkeys. This means that if a user sets up two Android devices with the same Google Account, passkeys created on one device are available on the other. This applies both to the case where a user has multiple devices simultaneously, for example a phone and a tablet, and the more common case where a user upgrades e.g. from an old Android phone to a new one." https://security.googleblog.com/2022/10/SecurityofPasskeysintheGooglePasswordManager.html#:~:text=synchronization%20and%20backup.-,Passkeys%20in%20the%20Google%20Password%20Manager,e.g.%20from%20an%20old%20Android%20phone%20to%20a%20new%20one.,-Passkeys%20in%20the -- GitHub Notification of comment by vonDubenshire Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1743#issuecomment-1452575512 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 2 March 2023 21:30:26 UTC