[webauthn] Is `hmac-secret` required for `prf` for non-CTAP authenticators (#2285) from philomathic_life via GitHub on 2025-04-27 (public-webauthn@w3.org from April 2025)

From: philomathic_life via GitHub <sysbot+gh@w3.org>
Date: Sun, 27 Apr 2025 21:07:23 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-3023323293-1745788041-sysbot+gh@w3.org>

zacknewman has just created a new issue for https://github.com/w3c/webauthn:

== Is `hmac-secret` required for `prf` for non-CTAP authenticators ==
According to the [`prf` extension](https://w3c.github.io/webauthn/#prf-extension), the `hmac-secret` authenticator extension seems to be required; however the below quote (emphasis added) suggests `hmac-secret` may not actually be needed:

> This extension only exposes a single PRF per credential and, _when implementing on top of_ `hmac-secret`,…

I'm asking since my iPhone reports `true` for the `prf` extension when using Safari; however the authenticator data doesn't have the `hmac-secret` extension let alone the `hmac-secret` extension with a value of `true`. I'm unsure if there is a bug in Safari/iPhone or a misunderstanding of the PRF extension. If the `hmac-secret` extension _is_ required, then what is the point of saying "when implementing on top of `hmac-secret`" since that's always the case?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2285 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 27 April 2025 21:07:24 UTC