- From: philomathic_life via GitHub <noreply@w3.org>
- Date: Sun, 02 Nov 2025 00:31:39 +0000
- To: public-webauthn@w3.org
zacknewman has just created a new issue for https://github.com/w3c/webauthn:
== Forbid authenticator data from containing plaintext PRF outputs ==
There are password managers (e.g., Bitwarden) where one of the primary security guarantees is that the vault key is _never_ sent to the server. When unknown CBOR key-value pairs are ignored in the authenticator data and an authenticator is used that includes the PRF outputs in the authenticator data, one cannot simply scrub out such key-value pairs since the authenticator data is part of the signature. This causes the vault key to be sent to the server violating one of the security guarantees.
I propose that the spec should explicitly forbid authenticators from including the plaintext PRF outputs in the authenticator data. It's less important to for CTAP-based authenticators to have this requirement since `hmac-secret` is encrypted; however nothing forbids such an authenticator to embed some other key-value pair and still be FIDO and WebAuthn compliant. At the very least though, non-CTAP-based authenticators should be required to not send the plaintext PRF outputs instead of simply saying:
> **Authenticator extension input / output**
[This extension](https://w3c.github.io/webauthn/#prf) is abstract over the authenticator implementation, using either the [[FIDO-CTAP]](https://w3c.github.io/webauthn/#biblio-fido-ctap) `hmac-secret` extension or an unspecified interface for communication between the client and authenticator. It thus does not specify a CBOR interface for inputs and outputs.
I think it should say something like (emphasis added):
> **Authenticator extension input / output**
[This extension](https://w3c.github.io/webauthn/#prf) is abstract over the authenticator implementation, using either the [[FIDO-CTAP]](https://w3c.github.io/webauthn/#biblio-fido-ctap) `hmac-secret` extension or an unspecified interface for communication between the client and authenticator. It thus does not specify a CBOR interface for inputs and outputs _except that the CBOR outputs must not contain the plaintext PRF outputs._
Recently GPM [was changed](https://issues.chromium.org/issues/430804950) since it was sending the following CBOR map in the authenticator data when PRF was requested:
```js
{
"prf": {
"eval": {
"first": <first input passed to PRF>,
"second": <second input passed to PRF>
},
"enabled": true
}
}
```
This was changed so that it wasn't sending the `eval` key-value pair anymore. In this case it wasn't a problem since the data that was being sent were the PRF _inputs_; but even if it were sending the PRF outputs, it wouldn't violate the spec.
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2359 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 2 November 2025 00:31:40 UTC