-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding some sentences to describe credential sharing between multiple users #1921
Comments
Hm. I would agree that passkey sharing (not to be confused with multi-device credentials) goes against some of the assertions we make throughout the spec. See for example the definition of Bound credential:
Also the definition of Credential Key Pair:
I would say one could argue that a multi-device credential synced between several of one user's devices still satisfies these if all are tied to one single cloud account. I don't think you could make that argument for credentials freely shared between different people's cloud accounts, though. There's also the security consideration §13.4.6. Credential Loss and Key Mobility which, even ignoring credential sharing, is just inaccurate since the introduction of the backup state flags:
|
Is there really any need to have specific call outs to multiple users here? I could share my yubikey pin to my partner and that would be "shared". There is no need for the spec to be aware of the credential being accessed by multiple people, since multiple users can be hidden behind a single user/login (eg sharing a netflix account). And that's exactly how it will work with say apples passkey sharing, where the RP will not know the difference between the credential being on my phone, or my partners. I think we just leave everything as "a user" and what that user decides to do with their credentials is up to them and their own risk/threat analysis. We don't really need to call out anything specific for this IMO. |
The original credential was bound to the Now, we have sharing features across multiple users, which is bound to This is the reason why I raised the issues for. |
There is no case where an existing device-bound passkey can become shared with another user's authenticator. |
I'm asking about the security and related policy around credential sharing of passkeys. If the credential could be sent (copied) to other users, then it is no longer bound to the user device and user account of the passkey providers. |
My perspective is that WebAuthn as a spec deals with clients (browsers) and RP (servers) processing rules, and doesn't have any influence over how an authenticator protects/manages/shares credentials beyond what might be indirectly conveyed via attestation, and the associated promises the authenticator vendor might make associated with that. As such I'd consider any notion of credential sharing is outside the scope of the WebAuthn specification. Ultimately if those things are of concern to a deployer, then attestation should be requested and RP policy dictates what happens next. |
I would agree that it were out of scope if not for the fact that the spec does make some assertions about who and what has access to credential keys, as noted above. I agree that most of this should be left as authenticator implementation details, but I think we need to adjust some of those assertions that don't reflect reality. |
Proposed Change
Some of passkey providers have been introduced passkey sharing features across users (family members or co-workers).
Current spec does not have any description about the credential sharing between multiple users.
It would be better to express the generated credentials could be shared with the help of underlying platforms or others.
The text was updated successfully, but these errors were encountered: