- From: Joost van Dijk via GitHub <noreply@w3.org>
- Date: Tue, 28 Oct 2025 08:25:39 +0000
- To: public-webauthn@w3.org
@Firstyear I don't quite follow. | So I hope that this helps to explain why first, you want and need attestation, and second, why the transport in use doesn't matter. Attestation increases trust in the authenticator, but the issue is that for phishing resistance you need a _trusted client_. The issue here is that when using hybrid transport, an attacker can trick users into connecting their authenticator to an _untrusted client_. The authenticator nor the Relying Party can currently detect this, as all messages exchanged between both Client and Authenticator and Client and Relying Party are similar whether the attack is taking place or not. Preventing the attack relies on the users being cautious when connecting their device to their client, making sure they are not inadvertently connecting to the wrong client. -- GitHub Notification of comment by joostd Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3455148768 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 28 October 2025 08:25:40 UTC