Hacker News new | past | comments | ask | show | jobs | submit login

Basically, for hardware backed devices like phones and physical security keys, there's an attestation certificate that is shared by all devices of that model. This can allow a site that wants higher security for some reason to require this kind of proof that the key is protected from copying in hardware (eg bound to a specific device and can't be stolen via malware, theoretically) due to it being a model known to be secure. I'm not aware of specific sites requiring this though.

It is recommended that sites don't require it: "It is important to be aware that requiring attestation is an invasive policy, especially when used to restrict users' choice of authenticator. For some applications this is necessary; for most it is not. [...] When in doubt, err towards being more permissive, because using a passkey is more secure than not using a passkey. [...] we recommend that you do not require a trusted attestation unless you have specific reason to do so." https://developers.yubico.com/Passkeys/Passkey_relying_party...

More info: https://developer.mozilla.org/en-US/docs/Web/API/Web_Authent...




That seems like truly terrible advice. The only example given:

> It may still be useful to request and store attestation information for future reference - for example, to warn users if security issues are discovered in their authenticators - but we recommend that you do not require a trusted attestation unless you have specific reason to do so.

If that’s the only application, that communication should happen through alternate channels like your browser/OS vendor itself. Having random websites be responsible for communicating whether a given attestation may indicate compromise is less than helpful and the probability of that actually happening correctly is about 0. Oh and given all the breaches, if there is a compromise, the attacker now has a helpful list of customers using compromised authenticators.

One application seems to be to use this to try to replace captcha but I wonder what kind of impact that will have on 3p authenticators. Without extra details, it may be right to be concerned this is a massive landgrab as to how people access online services.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: