0

WebAuthn includes an extension of the credential management api that allows you to work with public keys. I can go to the chrome settings and check managed passwords to see which username/passwords i have chosen to store in the browser using the credential management api. Few questions related to webauthn+credential management api combination.

  1. What info does browser store when we successfully create a credential?
  2. Can we access this info from chrome settings (or some other way)?
noi.m
  • 2,622
  • 4
  • 28
  • 50

3 Answers3

2

It's a loaded question, both answers from thangcao and mackie are to the point, here is a bit more details.

  • "Authenticator" is separate from browser -- just to emphasize this.
  • Authenticators could be "platform authenticator", built into client devices such as Android phones and Windows Hello or "roaming authenticator", a separate/external piece of hardware, such as Yubikey that you can use on several devices.
  • Authenticator is the one to create and store "credentials", which is in public/private key scheme. Browsers can obtain public keys (meant to be public) from authenticators through credential management APIs, but never private keys. Authentcation process is done inside authenticators, browsers simply pass along information between clients(users/app) and authenticators.
  • There is no equivalent "password management" on Chrome settings to manage your "WebAuthn private information", because credentials are not in browsers; more so, several browsers could use the same authenticator, with the same set of public/private key credentials.

Last but not least, your question: "Can we access this info from chrome settings (or some other way)?"

Answer: Unless authenticator vendors build some backdoors. If that's the case, the backdoor is not for you, but for hackers to obtain all your private keys.

Sproffer
  • 296
  • 2
  • 7
  • What this guy said ;) – mackie Jun 03 '20 at 12:39
  • The difference between how a browser handles a password credential v/s a webauthn related credential is also evident by the different API used. Store Password Credential: https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/store. Create Webauthn Credential: https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create – Jatin Dec 09 '20 at 03:16
1
  1. None - the credentials are stored in a protected form inside the authenticator device used - e.g. a security key like a Yubikey or inside the TPM of your computer or phone.
  2. You can create or get a credential (get in this case really meaning "sign this nonce") at runtime via the WebAuthn API (navigator.credentials...) but you cannot enumerate them.

Even Yubico do not provide a tool that allows you to just list the FIDO2 credentials held on one of their devices.

mackie
  • 4,061
  • 1
  • 15
  • 17
0

For your questions:

  1. The browser does not store this information, the created information (from an authenticator) is used for registering the authenticator to the Reply Party
  2. At runtime
thangcao
  • 1,551
  • 1
  • 11
  • 13