[w3ctag/design-reviews] WebAuthn minPinLength (Issue #687)

I'm requesting a TAG review of the minPinLength extension of CTAP 2.1, which would be exposed via WebAuthn.

In order to help organizations with meeting regulatory requirements, the current standard for security keys ([CTAP 2.1](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html)) defines an extension called [minPinLength](https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-minpinlength-extension). This allows the authenticator to report, when a credential is created, the authenticator's current configured minimum PIN length. Since the minimum can only be decreased by resetting the security key, which erases all credentials, an enterprise that uses this extension knows that the minimum was enforced whenever that credential is used.

  - Explainer: https://github.com/w3c/webauthn/wiki/Explainer:-minPinLength

  - Specification URL: https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-20210615.html#sctn-minpinlength-extension

  - Tests: https://chromium-review.googlesource.com/c/chromium/src/+/3256056/4/third_party/blink/web_tests/external/wpt/webauthn/createcredential-minpinlength.https.html

  - Primary contacts (and their relationship to the specification):
      - Adam Langley (agl), Google
  - Organization(s)/project(s) driving the specification: Microsoft

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - The group where the work on this specification is currently being done: FIDO

We'd prefer the TAG provide feedback as (please delete all but the desired option):

  💬 leave review feedback as a **comment in this issue**

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/687