- From: Michael David Kuckuk via GitHub <noreply@w3.org>
- Date: Fri, 24 Oct 2025 12:12:34 +0000
- To: public-webauthn@w3.org
Wow, I'm 5 hours late to ask this exact question! 🤯 However, I'd like to add that it would be nice to add integrity protection not only for `PublicKeyCredential.authenticatorAttachment`, but also to `PublicKeyCredentialRequestOptions.allowCredentials`, where RPs are also able to forbid hybrid transport from the get-go. As it's currently implemented, an AitM can manipulate both properties (e.g. in a spear phishing attack) and successfully be authenticated via QR-initiated CDA without the RP realizing that the authenticator was even attached cross-platform. Just like Dennis, I wrote [a blog post on this](https://www.inovex.de/de/blog/phishing-for-passkeys-an-analysis-of-webauthn-and-ctap/) with [a demo video](https://www.youtube.com/watch?v=zU1vJ0YuK6I) (great minds really do think alike, I guess). I'll also be talking about this at this year's [German OWASP Day](https://god.owasp.de/2025/en/index.html), in case anyone is interested in an in-person discussion. -- GitHub Notification of comment by LBBO Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3442813742 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 October 2025 12:12:35 UTC