- From: Johan Verrept via GitHub <noreply@w3.org>
- Date: Thu, 26 Feb 2026 11:03:23 +0000
- To: public-webauthn@w3.org
jovasco has just created a new issue for https://github.com/w3c/webauthn: == Extension to detect the use of Hybrid == ## Description I would like to propose an extension to detect the usage of Hybrid. ### Why The proximity detection in hybrid works with BLE advertisements. This means the range is quite long. Normal BLE connections do not get very far but this is because they are connection oriented and they usually break down due to packet loss. Advertisements are not connection oriented and this means that even with a packetloss of 90%, advertisements still get through. It only takes one. For the consumer use-case this is probably fine. Although it is possible to camp outside someones home, forward the QR code and catch the advertisements, this attack does not scale and the payoff is limited. The situation becomes different for enterprise or banking. For enterprise, lots of people are in the same building and everyone is proximity. Even if you are in a large building and not in proximity, there is probably a meeting room within proximity. For banking, the payoff of camping outside someones home with $100 in hardware suddenly becomes substantial. For these reasons, we would like to be able to detect the use of Hybrid, to use as a risk signal. ### How The extension would simply contain a boolean, "hybridUsed". The RP adds the extension with the value set to false. Any intermediate party that receives the extension over hybrid, sets the boolean to true and passes it on. The Authenticator signs over the value it receives. The RP checks the presence of the extension and the boolean value inside and uses it as a risk signal. This would keep in mind several threats: if we are in the the attack scenario mentioned above, where the attacker forwards the QR code, he could remove the extension. The RP will notice the missing extension and feeds this to his risk engine. (Probably as a big red flag). Should the attacker not remove the extension, it cannot manipulate the value of the boolean as this is set by the receiver of the extension, not the sender. Because the value is signed over by the authenticator, the extension can also not be removed from or modified in the response without breaking the signature. The value cannot be set by the authenticator itself because Android supports the use of security keys over hybrid. From the point of view of the authenticator, the transport is USB, it cannot detect the intermediate hybrid. (An alternative would be to have an array of transports and just have each party add a value with the transport it received the extension on). Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2394 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 26 February 2026 11:03:24 UTC