Support for devicePubKey extension of WebAuthn

[ttufts]

Does passwordless.dev support the devicePubKey extension of webauthn? I don't see any information about it in the documentation, and I don't see any implementation of it in source code (after cursory search).

[abergs]

Hey! Happy to see this question surface. It's planned for a upcoming release - would you like to share more about your use case?

[ttufts]

I'm happy to see Passkeys/Multi-Device FIDO hitting the masses but somewhat disappointed to see that it's bypassing 2FA in a lot of cases (Google accounts for example).

Considering that a backup-enabled credential could be stolen from an endpoint, it seems likely that without implementation of devicePubKey verification (with additional authentication for unknown devices), we will see stolen passkey attacks become more prevalent.

I don't want to be back in the pre-2FA days where we had to push websites to properly implement strong authentication. Even many webauthn authors seemed to agree that without devicePubKey, multi-device FIDO is broken.

Better for them to implement it properly in the beginning.

[abergs]

I agree that for sensitive websites, that implement a risk engine / policy, DPK will be valuable and our work to support it is already planned. But it's also worth to remember that for the majority of apps and websites, passkeys without DPK is still a huge improvement of user security.

Either way, we're in the same camp. Go DPK!