27Şub
Will sky fall if I don’t verify `AuthenticatorAttestationResponse`?
Through reading the WebAuthn spec and related MDN docs, I understand that unlike "certificate signing requests", FIDO/Passkey can have various different attestation formats and verification methods/algorithms during public-key credential registeration.
The documents recommend against "profiling" authenticators. I find that to support all those different and potentially more attestation formats to be very complex.
If I only send the public key (obtained through the convenience API of AuthenticatorAttestationResponse.getPublicKey()
) to the server, then ask the user to sign-in to prove their posession of private key through CredentialsContainer.get()
interface, what protection do I lose in terms of security?