- From: Michael David Kuckuk via GitHub <noreply@w3.org>
- Date: Fri, 24 Oct 2025 16:42:32 +0000
- To: public-webauthn@w3.org
@timcappalli > Physical proximity attacks are largely outside the threat model. Makes sense. If that means that WebAuthn won't consider any changes aimed at preventing such attacks, the rest of my comment is irrelevant. But I think WebAuthn could be modified to prevent the attacks described by @denniskniep and me, so I'll share my thoughts just in case my suggestions end up being acceptable after all. > Also, if the client or client platform is compromised, most other bets are off. To me this *feels* different than a compromised client. I understand that most bets are off if there's malware running on the victim's client. But in this scenario, the victim's client is completely uncompromised. The authenticator is simply communicating with a different client than the victim thinks it is. While this is unimaginable for platform-attached authenticators and probably even for other transports used by cross-platform-attached authenticators, it's now suddenly feasible and it might be worth considering it separately from "ordinary" compromised clients. @emlun > I'm not sure it would be solved by, for example, adding a transport value to clientDataJSON Yeah, I guess modifying `clientDataJSON` wouldn't work. But since the authenticator knows how it's communicating with the client, couldn't it add that information to its response (e.g. by using one or more of the reserved flags in authenticatorData)? Another option could be promote `allowCredentialDescriptorList` to a security property, add it to the authenticator's signature and require the authenticator to validate the listed transports before completing the authentication. That way an AitM could either add the `hybrid` transport to the allow-list, but that manipulation would then be detected by the RP, or the AitM doesn't add it and the authenticator refuses to complete authentication because an unallowed transport is being used. -- GitHub Notification of comment by LBBO Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3444045169 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 24 October 2025 16:42:33 UTC