- From: Kyle Simpson via GitHub <sysbot+gh@w3.org>
- Date: Tue, 25 Feb 2025 15:33:00 +0000
- To: public-webauthn@w3.org
Can Bob find on a table the yubikey that Alice has previously set up, add himself (his own factor) to it, and only using his factor, get Alice's credential (her userHandle)? Or would Alice have to "authorize" (present her own factor, pin, etc) Bob adding himself to the same yubikey, and in so doing, effectively said it was OK for the two of them to be, security-wise, interchangeable? ---- It seems clear to me that there are some authenticators where the protections (specifically multi-user separations) I've previously discussed seem true, and there are others (like this yubikey) where that's not true, and so humans would have to make wise decisions in those cases about how their security devices work, and not (for example) mix two different people's factors in the same security device, unless they really wanted them to be interchangeable. My main concern was whether this could happen surreptitiously, that is Bob (bad actor) getting access to Alice's userHandle with only Bob's factor(s), without Alice knowing (or having previously agreed to that)? It seems like that wouldn't be the case. -- GitHub Notification of comment by getify Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2266#issuecomment-2682316627 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 25 February 2025 15:33:00 UTC