Post

Replies

Boosts

Views

Activity

Reply to Passkeys and PRF extension
We would like to use PRF to protect the user data within our services by using the PRF salt as basis for the HKDF. Given the heavy penalties in case of GDPR breaches, it would really mean a lot for service providers if the user data could be protected completely by the WebAuthn authenticators. However, this would require that all web browsers/platforms support PRF (for "cloud" authenticators, the PRF extension could even be emulated by the "cloud" authenticator provider). For the moment only Google Chrome/Edge desktop versions support PRF (if the native authenticator supports HMAC-SECRET), which from a practical point-of-view renders PRF useless for the moment. @garrett-davidson This is all but theoretical. Given the GDPR, the industry should really push PRF support like crazy.
Nov ’23