12C/ NEVER say WebAuthN is Hardware protected unless you check attestations!

From IIW

NEVER say WebAuthN is hardware-protected - unless you check attestations

Session Convener: Kosuke Koiwai

Notes-taker(s): Kosuke Koiwai

Tags / links to resources / technology discussed, related to this session:

WebAuthN, attestation, FIDO2, CTAP2, wallet, verified credentials, TPM, passkeys,

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

SLIDE PICTURE: See image(s) for these notes in the IIWXXXIV Book of Proceedings here:


The discussion started with a little introduction to the attestation of WebAuthN spec, which is barely implemented by Relying Parties due to its complex nature. Then many experts explained all the details of how attestation works in WebAuthN.

And in near future, Platform Vendors will introduce multi-device credentials, which is private key sharing among your devices. Users can choose whether s/he wants to use multi-device key or single-device key, but RP may NOT.

We also discussed the Device Public Key (DPK) extension, which attaches extra data signed by a device-bound key. DPK will be an OPTIONAL feature of WebAuthN, so RPs can’t always get it, and it is also up to platform vendors to give RPs an option to choose multi-device credentials for single device one.

An action was called to give feedback to platform vendors so that RPs can have an option to ask for a device-bound key.