- From: Dennis Kniep via GitHub <noreply@w3.org>
- Date: Sat, 25 Oct 2025 08:24:29 +0000
- To: public-webauthn@w3.org
> The only viable option is attestation - this allows you to precisely control the authenticators in use @Firstyear why should that technically prevent the hybrid flow? From my point of view the Authenticator is not necessarily aware **how** the CTAP messages are transported to the Authenticator. Even if its an attested USB Security Key, CTAP Messages might be relayed by the Operating System through a different channel beforehand (hybrid flow) and finally sent via USB to the Security Key. I tested exactly that scenario on Android. After you scanned the qr code with your Android phone you are able to select a Security Key to complete the authentication. -- GitHub Notification of comment by denniskniep Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3446213490 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 25 October 2025 08:24:29 UTC