Comment by tjohns

3 years ago

Those can all easily be emulated in software, if you're determined enough.

There's nothing about the WebAuthn protocol that forces hardware backed key storage, other than everyone collectively agreeing it's a good idea. A bot author would just ignore that.

Firefox already includes this functionality, gated by flag (security.webauth.webauthn_enable_softtoken).

1 comment

tjohns

Reply
lrvick  3 years ago

> Those can all easily be emulated in software, if you're determined enough.

Not possible if vendor signature checking is enforced. All major webauthn device manufacturers sign the keys of all the devices they produce. You can prove a given device is unique and issued by Apple, Yubico, Google, Microsoft, etc.