[StavrosK]

Yes, certainly. And in order to compromise that root credential, you'd have to physically steal the key, and either decap the chip and read the bits somehow, or find a vulnerability that allowed you to read the private keys through USB.

Needless to say, this is much, much harder than stealing someone's password.

[not_that_noob]

Credential reissue (lost token) would be a much easier path for an attacker. The weakest point is always the point of compromise. For the smart attacker therefore, they have been handed the whole set of accounts. So yes the original point stands - attackers will find it more lucrative to do account compromise in the Webauthn world.

[emlun]

I think you misunderstand how WebAuthn works - see my other reply to your previous message.

[StavrosK]

How would an attack without having the hardware key work?

[not_that_noob]

They might call in and say they lost their token, and a competent attacker will usually have all the necessary info. Happens all the time with credit card fraud. Sure, you can notify the target that a credential was reissued, but that happens with credit cards too, and most of the time people don’t pay attention.

About 15% of the user population really cares about security and will take the right precautions. It’s the other 85% that are soft targets that keep attackers in business.

[StavrosK]

Okay, but how is that the key's fault? This has literally nothing to do with the authentication method, it doesn't give you access to any other site or anything. It's just a social engineering attack on the service, and it's pretty much the only one left because everything else has been obsoleted by the use of hardware tokens for auth.

[not_that_noob]

Not finding fault. The point of Webauthn is convenience - but the trade off is that if CTAP is compromised, it’s convenient for the attacker too.

[StavrosK]

I don't see how that's different from passwords, though. If your password gets compromised, it's game over as well, and it's much easier to compromise that.