alt Hacker Newsthere is attestation of the registration device in webauthn
so you can tell that a token was signed by an official yubikey, apple secure enclave, tpm, etc
for yubikeys the attestation signing certificate is shared between devices, but this number is limited
so you could rate limit... just it would be a horrible experience when you are limited
Replies
doctorpangloss • 12/09/2024
I don’t see that in the code. But you’re right that there is something heuristic you can do.
➕ show 1 reply
What about for software implementations like 1Password and Bitwarden?