Re: [webauthn] Can we document protections (if any) around userHandle (with user-verification)? (#2266) from Emil Lundberg via GitHub on 2025-02-25 (public-webauthn@w3.org from February 2025)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 25 Feb 2025 16:10:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2682526950-1740499850-sysbot+gh@w3.org>

> Can Bob find on a table the yubikey that Alice has previously set up, add himself (his own factor) to it, and only using his factor, get Alice's credential (her userHandle)?

Only if Bob knows the PIN set on the YubiKey (or if no PIN has been set yet). So:

> Or would Alice have to "authorize" (present her own factor, pin, etc) Bob adding himself to the same yubikey, and in so doing, effectively said it was OK for the two of them to be, security-wise, interchangeable?

Yes.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2266#issuecomment-2682526950 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 25 February 2025 16:10:56 UTC