W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2016

Re: [webauthn] Clarify how a user can authenticate from multiple devices

From: cjthompson via GitHub <sysbot+gh@w3.org>
Date: Tue, 26 Jul 2016 23:16:04 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-235434968-1469574963-sysbot+gh@w3.org>
@vijaybh - I read through the sample scenarios a few times.  While it 
doesn't explicitly cover the scenario that you describe, it seems 
clear that if the authenticator is a portable device of some kind, 
that would allow for logging in from multiple devices.

The Microsoft Account app works this way.  I use a username/password 
to log into my account.  A prompt is shown on my phone to accept the 
login.  Once accepted, I am logged in as expected.

I believe my confusion stems from the scenario in which the user's 
browser is the authenticator.  For example, my browser generates the 
public/private key pair and stores it in a local store (TPM or 
encrypted or whatever).  If the browser generates and stores the key 
pairs, they lose their portability.

Would it be envisioned that some form of cloud storage of private keys
 could be used to sync private keys to multiple devices, similar to 
current password managers?

-- 
GitHub Notification of comment by cjthompson
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/151#issuecomment-235434968 
using your GitHub account
Received on Tuesday, 26 July 2016 23:16:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:23 UTC