1Password would also like to see support for this for similar reasons. Being able to have additional data associated with a passkey and encrypted is important for us and our users.
I'd like some clarification however on the context string being used for hashing. What is the expected contextual input here? On Monday, May 1, 2023 at 9:13:39 AM UTC-4 Rew Islam wrote: > Dashlane would like to see support for this feature. This allows > encryption of data without the need for a knowledge based secret, in an > easy to use way. > > Rew > > > On 1 May 2023, at 09:26, Alex Russell <sligh...@chromium.org> wrote: > > > > This looks good on the surface, but I'm wondering if there's sample code > somewhere that can demonstrate how this would be used? > > On Fri, Apr 28, 2023, 11:05 PM 'Adam Langley' via blink-dev < > blin...@chromium.org> wrote: > >> Contact emailsa...@chromium.org >> >> Explainerhttps://github.com/w3c/webauthn/wiki/Explainer:-PRF-extension >> >> Specificationhttps://w3c.github.io/webauthn/#prf-extension >> >> Summary >> >> The PRF extension to WebAuthn allows a pseudo-random function (i.e. >> HMAC), stored on the security key, to be evaluated when getting a >> credential. This can be used to derive secret keys used to encrypt user >> data. >> >> Blink componentBlink>WebAuthentication >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebAuthentication> >> >> Search tagswebauthn <https://chromestatus.com/features#tags:webauthn>, >> prf <https://chromestatus.com/features#tags:prf>, hmac >> <https://chromestatus.com/features#tags:hmac> >> >> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/806 >> >> TAG review statusComplete >> >> Risks >> >> Interoperability and Compatibility >> >> Support on Windows depends on having a recent version of Windows. Not >> every security key supports the underlying hmac_secret functionality. Some >> passkey providers on Android 14 may not support it. >> >> *Gecko*: No signal >> >> *WebKit*: No signal >> >> *Web developers*: We've had several requests to enable this. Hopefully >> some will reply to this thread in the coming week. >> >> Security >> >> Some platforms may have assumed that the web would not ever be able to >> access the HMAC oracles in security keys. Therefore the HMAC inputs are >> hashed with a context string before being used, thus preventing sites from >> evaluating any HMAC input from the native domain. >> >> WebView application risks >> >> WebAuthn is not currently supported in WebViews. If that changes, this >> feature isn't expected to cause any specific difficulties. It remains the >> case that apps need to be authorized by assetlinks.json to access WebAuthn >> credentials. >> >> DebuggabilityThis feature is supported by Chromium's simulated security >> key and can be used by Web Driver tests and, later, could be exposed in >> DevTools. >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, Chrome OS, Android, and Android WebView)?Yes, although support >> for WebAuthn in WebViews in general is still in the future. >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?Yes >> >> Flag namechrome://flags/#enable-experimental-web-platform-features, >> although it'll have a separate killswitch flag when default enabled. >> >> Requires code in //chrome?False >> >> Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1106961 >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5138422207348736 >> >> Links to previous Intent discussionsIntent to prototype: >> https://groups.google.com/a/chromium.org/g/blink-dev/c/t_9QdJ7hcls/m/CAAOGBIVBgAJ >> >> -- >> You received this message because you are subscribed to the Google Groups >> "blink-dev" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to blink-dev+...@chromium.org. >> To view this discussion on the web visit >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLwSTfuePtL9d2BrF%2BPjXkipxY-f4TPCDMHpv5ESwqA1uQ%40mail.gmail.com >> >> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLwSTfuePtL9d2BrF%2BPjXkipxY-f4TPCDMHpv5ESwqA1uQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > > You received this message because you are subscribed to a topic in the > Google Groups "blink-dev" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/chromium.org/d/topic/blink-dev/iTNOgLwD2bI/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > blink-dev+...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA44PQhNjhx0jT5f2PZ-T-dG3JFQdh3Bjsb%3DkDSoxJ38bVXqSQ%40mail.gmail.com > > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA44PQhNjhx0jT5f2PZ-T-dG3JFQdh3Bjsb%3DkDSoxJ38bVXqSQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3cc46ecd-c162-48be-83bd-e99266d5e4b8n%40chromium.org.
