Synced/multi-device user Credentials

[equalsJeffH]

Issue #1637 introduces possible experiences in a future WebAuthn, various aspects of which are enabled by "syncing platform credentials" via platform providers' sync fabrics. The spec will need updating to explicitly accommodate and explain the "synced credential" notion. This will accommodate other spec updates, e.g. PR #1663, which need to make reference to the "synced credential" notion.

Note that the spec mostly implies that public key credential sources are (presently) hardware-bound by default (though the Cred Private Key definition is explicit, see below). These various notions will all need to be made explicit.

[ Note: synced credentials are a crucial enabler of the "passkey" concept. ]

[emlun]

The Credential Private Key definition will probably need a tweak too:

[...]
The credential private key is bound to a particular authenticator - its managing authenticator - and is expected to never be exposed to any other party, not even to the owner of the authenticator.
[...]

[equalsJeffH]

For associated discussion on terminology, see also:

• devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used #1691 (comment)
• devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used #1691 (comment)

For associated discussion regarding the webauthn spec sections that (likely amongst others) will require updating, see also:

• devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used #1691 (comment)

[timcappalli]

We should avoid using the term "sync" in the WebAuthn spec. Sync is one specific mechanism of moving/copying/migrating credentials. Other terms include:

• "copy"
• "move"
• "backup"
• "export"
• "peer-to-peer transfer"

We're really talking about "multi-device WebAuthn credentials" and "single-device WebAuthn credentials". I would propose using these two phrases instead.

[MasterKale]

We're really talking about "multi-device WebAuthn credentials" and "single-device WebAuthn credentials". I would propose using these two phrases instead.

Can the spec include mention of passkeys, even if it's just in Terminology? If we can't use "passkeys" directly in the spec then I think it'd be beneficial to help readers understand the following:

• "multi-device WebAuthn credential" === "passkey"
• "single-device WebAuthn credential" === "single-device passkey"

[timcappalli]

I'm fine with that in the terminology section: "... also known as a single-device passkey"

[equalsJeffH]

In their review of the "Broadening the user base of WebAuthn" aspect of the WebAuthn L3 effort, the W3C TAG requests (in part) that we "list mitigations or privacy protections on the part of the credential sync fabric providers", and provide this example:

We'd recommend that you include something in the spec, when you get to drafting it, to share some of this thinking with implementers (even something as simple as "users are trusting credential sync fabric providers to keep their keys secure. While the mechanisms of demonstrating that trust or keeping those credentials secure is out of scope for this spec, we are flagging to implementers that they may need to focus on this problem. Without it, the entire feature won't work.").

[ve7jtb]

If we expect to have sites saying authenticate with passkey, they are probably going to mostly accept both single and multi device passkeys.

I think Dirk's white paper was more along the lines.
"WebAuthn credential" === "passkey"
"multi-device WebAuthn credential" === "multi-device passkey"
"single-device WebAuthn credential" === "single-device passkey"

At least for the login flow we should not be differentiating between the two. For creating credentials where the authenticator supports both types of credentials then differentiating what the user is creating my be useful.