- From: Michael David Kuckuk via GitHub <noreply@w3.org>
- Date: Thu, 06 Nov 2025 15:10:35 +0000
- To: public-webauthn@w3.org
> Either way, I don't think that just adding a detection mechanism is the right way to go. The proper solution should be to either eliminate the vulnerability from the transport, or drop the transport altogether. While eliminating the vulnerability from the transport would be optimal, I'm really unsure how this could possibly work. The BLE connection between the client and the authenticator can't be verified directly by regular users. Unless I'm missing something, the verification process would need to work via some system-level UI (e.g. entering some verification code), but wouldn't that also be spoofable by the phishing page (at least to an extent where regular users wouldn't recognize that they're not dealing with a system-level UI)? I can't think of a solution to that problem, but that may very well be a lack of creativity or knowledge on my part. So assuming that the CTAP issue won't be fixed any time soon, we're left with removing the transport or introducing an opt-out mechanism. I believe the transport should definitely stay available for most use cases because most use cases don't have threat models that include in-person attackers. And the convenience can be amazing e.g. for signing in on smart TVs. So I think an opt-out feature would be a great compromise. So wouldn't it be possible to implement an opt-out feature using a combination of WebAuthn and CTAP? WebAuthn could allow RPs to restrict the used transports (with integrity protection) and require authenticators to adhere to the RP's restriction. CTAP could specify that whatever system on the authenticator's device ends up performing the hybrid transport must inform the authenticator that this transport was used. The authenticator would then be able to make a definitive decision on whether to allow the process to continue or not based on the RP's restrictions and the knowledge about what transport was used. -- GitHub Notification of comment by LBBO Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3497723044 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 6 November 2025 15:10:36 UTC