flash1293
commented
5 years ago The key sharing scheme can be implemented in user land roughly like this:
- Normal auth flow for the first device
- If the linksharing page is opened, create a new password for the account on the server via POST. To do so, no existing access token can be used, but a new challenge has to be solved (to trigger the webauthn-popup which notifies the user about a new authentication going on)
- The password is never put in local storage, only in memory and in the sharing link.
- On the other device, the normal auth flow is altered: Along with the normal challenge answer and the public key, the username of the existing account and the password is sent along. The server stores the new public key in the same account as the password and the public key of the first device
- The second device then forgets the password and authenticates itself via the public key for subsequent actions
This is only worth it if the user doesn't blindly confirms all webauthn-popups (if she does, an XSS exploit could be used by an attacker to create a password for the account)
To do this, a key sharing scheme is necessary to provide a “sync link” feature - tracked here https://github.com/w3c/webauthn/issues/931