Re: [webauthn] Is `hmac-secret` required for `prf` for non-CTAP authenticators (#2285) from philomathic_life via GitHub on 2025-04-28 (public-webauthn@w3.org from April 2025)

From: philomathic_life via GitHub <sysbot+gh@w3.org>
Date: Mon, 28 Apr 2025 04:45:27 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2833969479-1745815525-sysbot+gh@w3.org>

I spent more time looking into this, and iPhone 15 Pro Max + iOS 18.4.1 + Safari + the Passwords app never uses the `hmac-secret` authenticator extension. This suggests that perhaps the spec should be updated to not require `hmac-secret` and change the directives that require `prf` to be based on `hmac-secret`.

In fact I'm able to use the PRF extension even if I create a passkey _without_ the PRF extension. No matter what there is no `hmac-secret` in the authenticator data for both registration and authentication.

This seems like a good thing, so I can submit a PR that clarifies the `hmac-secret` extension is only relevant for CTAP authenticators like security keys.

-- 
GitHub Notification of comment by zacknewman
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2285#issuecomment-2833969479 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 28 April 2025 04:45:28 UTC