Hacker News new | ask | show | jobs
by Rafert 494 days ago
The counter can always be 0, which is what cloud synced passkeys are doing IIRC.
2 comments
dathinab 493 days ago
The problem starts earlier with the secret key which you can't place "into" a TKey. You can deterministically derive one between the TKey and a server using some thing like a (semi) static DH but that isn't how it is implemented in general.
link
cuu508 493 days ago
I understand that the ability to place stuff "into" a TKey would be needed to support discoverable WebAuthn credentials ("passkeys"). But would it also be needed for non-discoverable credentials?
link
Borealid 493 days ago
Yes, to set a PIN protecting the non-discoverable credentials. The FIDO PIN can be changed while you have access to the authenticator and not to the credentials it previously created.
link
arianvanp 493 days ago
User verification is optional.

If you only do user presence and non-discoverable, then WebAuthn is completely stateless and deterministic for a given (challenge,rpId,origin) triplet

link
michaelt 493 days ago
Isn't a 'passkey' with no discoverable credentials and no user verification just a regular U2F token?
link
Borealid 493 days ago
Well, it could still provide credBlob (up to 32 bytes of data stored in the non-discoverable credential and handed back after verification). But mostly yes, it's losing the advantages of FIDO2.
link
arianvanp 493 days ago
Modulo supporting more algorithms -- yes
link
woodruffw 493 days ago
Huh yeah, I hadn't considered how they got around that. I suppose in that case this key could do something similar?
link