Protect Browser localstorage with WebAuthn

Question

The idea is to use public/private key cryptography to store encrypted data that only a user with biometric login can access it.

I 'm successfully using WebAuthn and this library to login and I store the credential ID and a public key. Now, as I read, I can't use this to encrypt data because I can't have the WebAuthn API decrypt it, its only used for authentication.

The question is, can I protect local browser storage with WebAuthn? If so, I could use window.crypto.subtle.generateKey to generate a RSA key, store the private locally and protect it with WebAuthn, then reuse it when necessary.

Best,

No, I don't believe that is possible. – Tim Dec 05 '22 at 15:17 — Tim, Dec 05 '22 at 15:17

score 1 · Answer 1 · answered Dec 07 '22 at 22:31

The closest thing would be to use the PRF extension that's in the draft of WebAuthn level three. However, it is not yet supported in any browser nor by any platform authenticator I'm afraid. (Although many FIDO2 security keys support the underlying hmac-secret extension to CTAP2.)

Protect Browser localstorage with WebAuthn

1 Answers1