Emil Lundberg

Hi everyone, I'm pleased to report there's been some more progress on this. Yubico and Mozilla have been collaborating with researchers from Surrey Centre for Cyber Security, at the University...

The research paper has now been accepted to the [ACM CCS](https://www.sigsac.org/ccs/CCS2020/) conference! The eprint is published here for public review: https://eprint.iacr.org/2020/1004

Thanks, that's fixed now. Looks like PR #1425 does not have the same typo.

Yeah, the critical piece to realize is that all WebAuthn credentials are "trust on first use" (TOFU) keys. Even with attestation, it is indeed possible for a malicious script to...

When PR #1663 is merged, the attestation verification during assertion should be included in this as well. See: https://github.com/w3c/webauthn/pull/1663#discussion_r960733408

Would it be reasonable if RPs could silently check for "does the user have some discoverable credential for this site"? So not allowing the RP to probe for any particular...

I had a vastly different idea for how this could work: ```html ``` That is, a perfectly normal form with nothing special except the new `` suggested in OP. The...

@Garnac What you're proposing is a much more ambitious vision for a standard web-wide sessions framework, which is way out of scope for the current WebAuthn working group. Even if...

>prerendering old dynamic stuff, like challenge for registration forms. You should never reuse a [`challenge`](https://www.w3.org/TR/2019/WD-webauthn-2-20191126/#dom-publickeycredentialcreationoptions-challenge), it should be uniquely generated for each registration/authentication ceremony. See [§13.4.1. Cryptographic Challenges ](https://www.w3.org/TR/2019/WD-webauthn-2-20191126/#sctn-cryptographic-challenges) (and...

This is currently possible to do by replacing an existing credential, by performing a new registration ceremony with the same `user.id` but omitting the credential to be replaced from `excludeCredentials`....