- From: Harsh Lal via GitHub <noreply@w3.org>
- Date: Thu, 30 Oct 2025 19:03:27 +0000
- To: public-webauthn@w3.org
I am late to the party but here are some thoughts:
1. Changes at the Authenticator/Platform Level
The idea having the authenticator or the platform it runs on (like the phone's OS) provide a verifiable signal.
The generic idea here is that authenticator can calculate and sign some sort of checksum of the request that can be verified by the RPs. This allows for RPs to be sure that the request/response was not modified by an intermediate attacker.
Same could be implemented on security keys or any other passkey provider as well.
2. Future Transport-Level Solutions
A new proposal is going around to support NFC based invocations on Hybrid. This could probably be extended to use NFC tap as a proof of proximity - so the remote-proximity attack(BLE beacon attack) can be prevented.
We are also thinking about UWB and using its ranging capabilities, once it becomes more mainstream on devices.
--
GitHub Notification of comment by harshlal028
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2349#issuecomment-3469643212 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 30 October 2025 19:03:28 UTC