Tim Cappalli
Tim Cappalli
@LBBO > Could you perhaps elaborate on this a bit? What issues would arise from signing one (or both) of these properties or including them in objects that already have...
It's also important to remember that WebAuthn and passkeys are designed to prevent remote phishing attacks. Physical proximity attacks are largely outside the threat model. That said, there is additional...
> But since the authenticator knows how it's communicating with the client, That is only the case for traditional authenticators using external transports (USB, NFC, Bluetooth), not for software-based credential...
> What if the WebAuthn responses were sent directly to the Relying Party through a pre-established backchannel? This would effectively be federation then. Credential managers / authenticators in a consumer...
Just to try to bring this discussion back around, @denniskniep if you believe you discovered a protocol vulnerability in FIDO CTAP, please send the details to [email protected]. That discussion should...
@sbweeden we already committed to addressing this in L4 at the last TPAC: #2157.
Hi! Typically MDN covers the web platform components, not the entire ecosystem. Passkeys are just one type of credential that can be created via the Web Authentication API. We would...
> Is user verification discouraged intended to be used for relying parties to signal a preference for less user interaction? It is used by RPs to signal that no activation...
@npdoty did the previous response sufficiently answer your questions about user verification?
I'm seeing this as well on macOS 26. It was fine on the previous release.