- From: Firstyear via GitHub <noreply@w3.org>
- Date: Mon, 27 Oct 2025 23:59:07 +0000
- To: public-webauthn@w3.org
> > The only viable option is attestation - this allows you to precisely control the authenticators in use > > [@Firstyear](https://github.com/Firstyear) why should that technically prevent the hybrid flow? > > From my point of view the Authenticator is not necessarily aware **how** the CTAP messages are transported to the Authenticator. Even if its an attested USB Security Key, CTAP Messages might be relayed by the Operating System through a different channel beforehand (hybrid flow) and finally sent via USB to the Security Key. Correct, and it's possible to shim a usb CTAP key over caBLE. Now what you need to step back and consider is this - what is *your threat model*. At the moment, you are focused on the transport layer of how the signed response is sent. However, I'm going to challenge you that even over HTTP a webauthn assertion (nav.cred.get) is secure. The reason is that from the RP you send a nonce that you want the authenticator to sign. The authenticator signs this nonce and returns the signed data. If the nonce was altered from the RP -> Authenticator, the Authenticator will sign the wrong data and your RP will then be able to assert that the operation failed. If the response from the Authenticator -> RP is altered or tampered with, the signature will fail. If the response from the Authenticator -> RP is replayed from an earlier assertion, the RP will reject the operation as the nonce is not the one it requested to be signed. So the *transport* layer doesn't matter. Even plain text, the assertion can't be falsified. I think your concern over what transport is used is not one that will affect the security of the system. Now we turn our attention to the more important part of this - the real reason attestation is what matters in a high security environment is that it's the only way to cryptographically verify *how* and *where* the private key of the authenticator is stored. Without attestation, the private key could be stored on a post-it note attached to someone's monitor. Attestation is the only way to demand a proof that the private key is stored in a hardware secure enclave where it can't be exfiltrated or removed. It also allows you to prove and trust that signals like UV will be performed correctly, and not falsified. So I hope that this helps to explain why first, you want and need attestation, and second, why the transport in use doesn't matter. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3453866537 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 27 October 2025 23:59:08 UTC