|
|
|
|
|
|
by johncolanduoni
1089 days ago
|
|
|
WebAuthn has a specific feature called “attestation” where an app can only accept keys from a specific vendor as verified by vendor-provided signatures (that the user agent cannot forge). I personally doubt it will be used for this kind of lock in (it’s currently mostly used by companies for internal authentication so they can make sure you only use the brand of WebAuthn keys issued by them) but it’s not technically infeasible with the current standard. If you want to see an outside of the box use of the attestation feature, take a look at Cloudflare’s “Cryptographic Attestation of Personhood” [1]. Basically they use the attestation key to tie the WebAuthn challenge to a real vendor, so if spammers make their own fake WebAuthn keys they can block them wholesale. I’m sure some Cloudflare skeptics will jump in and point out all the ways that could be abused. [1]: https://developers.cloudflare.com/support/about-cloudflare/b.... |
|
|