Re: [webauthn] Same PRF regardless of UV? (#2337) from Firstyear via GitHub on 2025-10-09 (public-webauthn@w3.org from October 2025)

From: Firstyear via GitHub <noreply@w3.org>
Date: Thu, 09 Oct 2025 00:08:27 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3383610538-1759968506-noreply@w3.org>

The PRF needs to change if UV is or is not present, so that an attacker with physical access to the key can request UV=false, and then get the PRF outputs. UV must influence the PRF output so that it proves the UV was also present, and protects the PRF from disclosure without UV. 

So I agree that PRF must require UV, and must change depending on UV state. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2337#issuecomment-3383610538 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 9 October 2025 00:08:28 UTC