Thomas Duboucher
Thomas Duboucher
> I have previously asked about a way to specify per-credential selection criteria which was denied by this WG, because an authentication challenge is considered to be targetting a single...
I think that this is already working out of the box on Windows 10 for NFC authenticators (see https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services).
Tested, and working out of the box with remote desktop in NFC. In HID, required to configure forwarding of the USB device first. Both local and remote station were running...
@seism0saurus The remote desktop application probably needs to be launched in administrator, because it is accessing the FIDO device directly, and not through Windows' webauthn.h.
It was done with VMware Horizon, with the following setup: - VMware Horizon Client launched as administrator (since it access to the raw FIDO devices, and not through webauthn.dll), -...
Such deployments already use certified hardware (e.g. CC EAL) and filters security keys using attestation, AAGUID and MDS.
> Can you provide me with a reference for a specification that doesn't allow wrapped keys? > > I know of implementations where Discoverable keys are wrapped by the SE...
This is a good case for [Authenticator Selection Criteria](https://www.w3.org/TR/webauthn-2/#dictdef-authenticatorselectioncriteria). Note that in the end, it does not allow the RP not to check the metadata, as the client doesn't validate...
> If avoiding replay attacks is the only purpose of the challenge, then, at least according to my layman understanding of cryptography, that would mean that the only requirement would...
Tested OK with 1.7.20-4. 👍 Should I close the issue?