Re: [webauthn] Hybrid transport opt-out and ability for verifiable proof (#2349) from Firstyear via GitHub on 2025-10-25 (public-webauthn@w3.org from October 2025)

From: Firstyear via GitHub <noreply@w3.org>
Date: Sat, 25 Oct 2025 03:46:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-3445650352-1761363963-noreply@w3.org>

> My request is related to a high-risk enterprise workforce scenario.
> As a Relying Party I want to be able to opt-out of the [Hybrid transport](https://fidoalliance.org/specs/fido-v2.2-ps-20250714/fido-client-to-authenticator-protocol-v2.2-ps-20250714.html)
> flow (cross‑device via QR-Code & BLE) within the WebAuthn request. Furthermore, I want to be able to authoritatively check in the WebAuthn response that no Hybrid transports were used during FIDO authentication.
> To prove this in a reliable way, this has to be part of what is signed.

The only viable option is attestation - this allows you to precisely control the authenticators in use. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3445650352 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 25 October 2025 03:46:10 UTC