Re: [webauthn] Is `hmac-secret` required for `prf` for non-CTAP authenticators (#2285) from Kostas Pyliouras via GitHub on 2025-04-28 (public-webauthn@w3.org from April 2025)

From: Kostas Pyliouras via GitHub <sysbot+gh@w3.org>
Date: Mon, 28 Apr 2025 07:14:07 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2834199557-1745824445-sysbot+gh@w3.org>

I did a [deep dive](https://webauthn-passkeys-prf-demo.explore.corbado.com/) into PRF recently. Most current authenticators return PRF values even when the credential hasn’t been created with PRF enabled (e.g., iCloud, Google Password Manager, YubiKey). This behavior aligns with CTAP 2.2, helps the extension, but wasn’t entirely clear to me from reading the specification.

-- 
GitHub Notification of comment by kopy
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2285#issuecomment-2834199557 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 28 April 2025 07:14:10 UTC