Re: how to handle multiple domains

Thanks for confirming Emil.

David, yes, federation is one solution but it does not cover all use cases.
One use case is prompting for a second factor before sensitive operations,
a full page redirect to the IdP might not be the desired UX.

And yes, Android already supports something like you describe. You have to
include the Android app in the asset links file with the right relationship
type. Not sure if iOS has anything similar yet.


On Wed, Apr 24, 2019 at 4:20 AM David Waite <dwaite@pingidentity.com> wrote:

>
>
> On Wed, Apr 24, 2019 at 5:00 AM Emil Lundberg <emil@yubico.com> wrote:
>
>> > Is there a reason why facets (or something similar) are not available
>> > for FIDO2/WebAuthn?
>>
>> I personally don't know, but my guess is that the facet resolution logic
>> adds too much complexity for too little benefit. Perhaps someone else on
>> the list can elaborate on this decision.
>>
>
> I suspect that there were also identified privacy impacts, as I could set
> a facet to be quite far-reaching.
>
> To support multiple domain roots, you probably should use federation and
> SSO.
>
> My money is on a form of facets eventually coming back for non-web usage
> in a very limited form, not to support multiple domains but to support
> direct native app usage when associated with a domain (e.g iOS Universal
> Links, Android App Links )
>
> -DW
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*