Re: [webauthn] Is `hmac-secret` required for `prf` for non-CTAP authenticators (#2285) from philomathic_life via GitHub on 2025-04-28 (public-webauthn@w3.org from April 2025)

From: philomathic_life via GitHub <sysbot+gh@w3.org>
Date: Mon, 28 Apr 2025 14:49:31 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2835510902-1745851769-sysbot+gh@w3.org>

> I did a [deep dive](https://webauthn-passkeys-prf-demo.explore.corbado.com/) into PRF recently. Most current authenticators return PRF values even when the credential hasn’t been created with PRF enabled (e.g., iCloud, Google Password Manager, YubiKey). This behavior aligns with CTAP 2.2, helps the extension, but wasn’t entirely clear to me from reading the specification.

Indeed. CTAP 2.2 states:

> Note: Authenticator SHOULD generate `CredRandomWithUV`/`CredRandomWithoutUV` and associate them with the credential, even if `hmac-secret` extension is not present in authenticatorMakeCredential request.

This is only a recommendation though, but I do think it should be called in the WebAuthn spec. Something like

> Some authenticators require `prf` to be passed during registration if `prf` is to ever be used during authentication; thus RPs SHOULD pass `prf` during registration.

-- 
GitHub Notification of comment by zacknewman
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2285#issuecomment-2835510902 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 28 April 2025 14:49:32 UTC