|
|
|
|
|
|
by tialaramex
1574 days ago
|
|
|
The correct mitigation for these scenarios, which I agree are a problem, is to not use shared secrets. Key rotation/ changing your password is a poor workaround. If you steal the WebAuthn database from my toy implementation, now, or tomorrow or ten years in the past, it makes no difference because it doesn't have any secrets in it, so, you don't learn anything useful. "Man, if I was this web site, which I'm not, now I could validate that the authentication was successful". In such schemes the only thing similar to a "secret" is the Private Key, which exists only briefly temporarily inside my Security Key or other authenticator when it is doing its thing. |
|
|