Open flash1293 opened 5 years ago
The key sharing scheme can be implemented in user land roughly like this:
This is only worth it if the user doesn't blindly confirms all webauthn-popups (if she does, an XSS exploit could be used by an attacker to create a password for the account)
To do this, a key sharing scheme is necessary to provide a “sync link” feature - tracked here https://github.com/w3c/webauthn/issues/931