- From: Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>
- Date: Wed, 28 Sep 2016 07:45:35 +0000
- To: public-webauthn@w3.org
@bifurcation I don't think this is true. The account info tells the *authenticator* what to put in a chooser - this is out of reach of the UA once the credential is created. This allows for roaming authenticators with local storage to do initial logon (as opposed to U2F-style password supplement). Scenario is something like this: the user comes up to a new machine with his rich authenticator, plugs it in to USB for instance, and clicks the log in button on foo.com. That site calls getAssertion without a credential ID. The authenticator shows the user what credentials they have for foo.com so they can pick one. The user selects one, and that assertion gets generated. The site verifies the assertion, and the user is logged on. In such situations one cannot require allowList because the site does not (and should not) yet know who the user is. -- GitHub Notification of comment by vijaybh Please view or discuss this issue at https://github.com/w3c/webauthn/issues/219#issuecomment-250095629 using your GitHub account
Received on Wednesday, 28 September 2016 07:45:44 UTC