[webauthn] Hybrid transport opt-out and ability for verifiable proof (#2349) from Dennis Kniep via GitHub on 2025-10-24 (public-webauthn@w3.org from October 2025)

From: Dennis Kniep via GitHub <noreply@w3.org>
Date: Fri, 24 Oct 2025 06:40:05 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-3547887328-1761288003-noreply@w3.org>

denniskniep has just created a new issue for https://github.com/w3c/webauthn:

== Hybrid transport opt-out and ability for verifiable proof ==
My request is related to a high-risk enterprise workforce scenario.
As a Relying Party I want to be able to opt-out of the [Hybrid transport](https://fidoalliance.org/specs/fido-v2.2-rd-20241003/fido-client-to-authenticator-protocol-v2.2-rd-20241003.html#sctn-hybrid)
flow (cross‑device via QR-Code & BLE) within the WebAuthn request. Furthermore, I want to be able to authoritatively check in the WebAuthn response that no Hybrid transports were used during FIDO authentication.
To prove this in a reliable way, this has to be part of what is signed.

The reason for this request is, that I see a realistic attack vector described in detail here:
https://denniskniep.github.io/posts/14-fido-cross-device-phishing/

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 24 October 2025 06:40:06 UTC