- From: Nina Satragno via GitHub <noreply@w3.org>
- Date: Mon, 27 Oct 2025 19:22:01 +0000
- To: public-webauthn@w3.org
There's a similar class of vulnerabilities (assuming you have a bluetooth beacon in place) for classic bluetooth authenticators. I think in that case you might be able to get away with attestation to reject those because there's no forwarding for classic bluetooth the way it exists for hybrid. We could have the device scanning the QR code inject something that gets signed by the authenticator. But as @emlun says, trying to detect this seems like the wrong approach. It's possible there's not a lot we can do considering the BLE advert is key to underpinning the security of the protocol. -- GitHub Notification of comment by nsatragno Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3452928191 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 October 2025 19:22:02 UTC