dbsc icon indicating copy to clipboard operation
dbsc copied to clipboard

Published 20 hours ago verified publisher icon WICG

non-TPM devices? Android and iPhone / iOS | iPadOS TPM equivalents?

Open anwarmahmood1 opened this issue 10 months ago • 7 comments

hi!

just some questions that I'm sure have already been addressed, but seeking confirmation / perhaps they could be in an FAQ?

If a desktop OS does not have a TPM, will this 'fail safe'? Conceptually similar to falling back from TLS 1.3 to TLS 1.2 if necessary.

is the expectation that authentication servers will have a policy capabilities;

  • no DBSC requirements
  • should use DBSC, but it is acceptable not to
  • most use DBSC; cannot proceed without

equally, is the expectation that browsers can implement policies;

  • no DBSC requirements
  • should use DBSC, but it is acceptable not to
  • must use DBSC; cannot proceed without [if a server can't do DBSC, then the user cannot authenticate; might be inconvenient, but organisational security policy might require this]

As an example, as a Google Workspace admin, I set my tenancy to require DBSC, and I apply a Google Chrome policy that requires DBSC. My users can logon to my tenancy and stolen tokens are now useless.

Not an expert, but I am guessing the isolation on iOS | iPadOS and Android means token theft isn't possible, so DBSC isn't required?

How will a [single] authentication endpoint handle desktop apps and mobile apps; in other words, use DBSC for desktop, and not for mobile OSes? The user agent is an indicator, of course, but not dependable. For example, if I use developer tools, I can make my desktop browser appear to be an iPad, thus would not use DBSC. This could be an attack vector; essentially attacker tricks the user to browse to a malicious website presenting a mobile user agent.

I am guessing that this isn't intended to address malicious domains. For example, a user receives an email with a link to https://acounts.google.com [accounts is misspelled] and authenticates. The attacker is using MITM to steal tokens.

[not saying DBSC should address malicious domains; merely seeking confirmation that it isn't intended to do so, and does not]

[forgive my naivete; I'm sure these are dumb questions that have been considered; I just can't find anything]

anwarmahmood1 avatar Apr 03 '24 08:04 anwarmahmood1