top | item 47190653

(no title)

hedora | 1 day ago

It seems like it will only be a matter of time before consumer sites start requiring a patched OS with an attestation bit set in the key.

Also, as I understand it, sites can whitelist credential hardware.

If not, then the attestation is security theater. I (or an attacker on your machine), can just make a sw emulator of a hw attestation device, and use that to protect my choice of OS, (and skim your credentials).

If a whitelist exists, then my “hijack your OS” plan works: Require the builtin macos/windows/signed chrome on signed os password managers. That’s 90% of the market (and dropping) right now.

discuss

johncolanduoni|1 day ago

As I said, the attestation structurally does NOT attest to your OS or your browser that are displaying the website performing the authentication. It attests to the device that holds the passkey's key material, which is usually not your desktop computer.

Borealid|1 day ago

The attestation is in fact readable by the FIDO Platform (the browser/OS). It is not encrypted to be readable only by the RP (web site).

It talks about whatever you used to authenticate and the platform can manipulate (or omit) it.