Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The problem starts earlier with the secret key which you can't place "into" a TKey. You can deterministically derive one between the TKey and a server using some thing like a (semi) static DH but that isn't how it is implemented in general.


I understand that the ability to place stuff "into" a TKey would be needed to support discoverable WebAuthn credentials ("passkeys"). But would it also be needed for non-discoverable credentials?


Yes, to set a PIN protecting the non-discoverable credentials. The FIDO PIN can be changed while you have access to the authenticator and not to the credentials it previously created.


User verification is optional.

If you only do user presence and non-discoverable, then WebAuthn is completely stateless and deterministic for a given (challenge,rpId,origin) triplet


Isn't a 'passkey' with no discoverable credentials and no user verification just a regular U2F token?


Well, it could still provide credBlob (up to 32 bytes of data stored in the non-discoverable credential and handed back after verification). But mostly yes, it's losing the advantages of FIDO2.


Modulo supporting more algorithms -- yes




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: