- From: Joost van Dijk via GitHub <noreply@w3.org>
- Date: Mon, 27 Oct 2025 09:04:38 +0000
- To: public-webauthn@w3.org
Thanks @denniskniep , I am now able to reproduce. I was missing the "More Options" link in the first screen, but using a specific order I can now authenticate using a passkey stored on a security key. Interestingly, - I can only authenticate using the security key if I **also** have a passkey stored in Google Password Manager - I can only authenticate using the security key if allowCredentials is empty - I can only authenticatie using this flow, but not register I also noticed a warning "Only connect to devices you trust" on Android after scanning the QR code and before connecting to the client that I think wasn't there before. This is a good addition but I am not sure if this will help against phishing attacks where users already believe they are using a trusted client. I have also wondered if Relying Parties can discourage (instead of prevent) hybrid flows by disabling hybrid or detecting if hybrid was used after the fact and present a warning in the hope of making them more aware of future phishing attempts. For instance: - In the get() and create() publicKey hints options, exclude "hybrid": hints: ["security-key", "client-device"] - When registering a credential, detecting credentials with attachment 'cross-platform' that also have transports that include 'hybrid'. - When authenticating, detecting assertions for credentials with attachment 'cross-platform' that reported 'hybrid' transport during registration. Unfortunately, `authenticatorAttachment` does not behave consistently across browsers. See for instance [this](https://developer.apple.com/forums/thread/749424) Safari issue. -- GitHub Notification of comment by joostd Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3450180942 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 October 2025 09:04:39 UTC