Signaling when user credentials are shared between users to the relying party

[Kieun]

Description

Some of passkey providers have been providing credential sharing between multiple users. RPs (or enterprise) might have some controls to allow or disallow credential sharing.
Such controls are varying across passkey providers and sometimes RPs might not be aware that user's credential has been shared to others.

Some RPs would like to know such things in order to score the security risk.

I'm thinking that this could be offered as following options.

• Option 1: mark the credential is shared when returning attestation or assertion within the authData (might be flag)
• Option 2: leverage well-known URL at relying party side and send a signal at the time when the user credential is actually shared

[dwaite]

Unfortunately, while a client is the interface with authenticators, it does not necessarily know if a passkey provider supports sharing. Indeed, authenticators themselves may not record if a credential has been shared, and sharing may not be an authenticator-level action.

The current recommended mechanism to mandate non-sharable (hardware-bound) credentials would be to require attestations. To prevent restricting use of new authenticators which also do not share credentials, it is recommended the attestations are verified against an up-to-date list of implementations (such as the FIDO Alliance MDS.)

In the future, an extension such as devicePubKey might serve as a signal that a credential MAY have been shared, although it also could be signaling other events or simple state clearing.

[Firstyear]

Worth pointing out the FIDO MDS still has some data corruption issues, so it would be good to get those looked at. I have a full set of patch notes if you need @dwaite