- From: Adam Langley <notifications@github.com>
- Date: Wed, 02 Feb 2022 11:11:00 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/686/1028273560@github.com>
> Your response indicated that's not how the device-key extension works. Can you explain more about what device-key extension is meant to be used for then? The [device public-key extension](https://github.com/w3c/webauthn/pull/1663) proposes that a WebAuthn credential may have a set of secondary private keys associated with it. When registering or asserting with a WebAuthn credential, if the website requests it, an authenticator may return a public-key and signature from one of these private keys in addition to the signature from the primary private key for the credential. The idea being that if the authenticator is syncing the primary private key onto different physical devices, each physical device can create its own device-bound key for each credential. The device public-key extension thus discloses some information about the set of devices in use to aid with risk decisions. We do not envision that most websites would use this. But, for some sites that take a risk-based approach to sign-in, this additional signal may be useful. For example, a sign-in attempt coming from a geographical location that is unusual for the account might be rendered less suspicious given proof that a known device for that user is making the request. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/686#issuecomment-1028273560 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/686/1028273560@github.com>
Received on Wednesday, 2 February 2022 19:11:12 UTC