- From: John Bradley via GitHub <noreply@w3.org>
- Date: Thu, 06 Nov 2025 16:30:49 +0000
- To: public-webauthn@w3.org
The problem is that without signed requests an attacker can change the request. We could require the selector to pass the transport to the authenticator to include in client data or include it in client data directly depending on architecture. The RP would be responsible for rejecting authentications that don't meet its requirements. When that came up about a year ago this was rejected by the platforms because it would potentially cause large numbers of legitimate transactions to be rejected by RP. Other ways of signalling risk were considered but not acted on at the time. Dynamic QR codes were discussed and rejected because of deployment practicalities. They would only reduce attack surface not stop the attack. The problem/opportunity is that Hybrid was originally between your desktop and your phone. Users did not expect it in other situations. Now if we expand that to other in person presentment to kiosks etc people will become used to using it in situations where it could be dangerous if they are not paying close attention to who the presented RP is, or the context of the authentication. Ideally we can find a protocol way to mitigate this. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3498217348 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 6 November 2025 16:30:50 UTC