- From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
- Date: Wed, 02 Aug 2017 07:46:40 +0000
- To: public-webauthn@w3.org
I think we found another limitation of the algorithm specified in section 4.1.4: If the authenticator is used as first multifactor, i.e. user not yet known (e.g. no password auth, no cookies, ...), then the current algorithm sends no credentialIDs to the authenticator. That is exactly the right thing to do. If the authenticator has a UI, the Authenticator could ask the user to select one of the existing credentialIDs for the specific rpID. However, if the authenticator hs no UI (e.g. like PQI My Lockey 360°), the authenticator would need platform support for the credentialID selection. It would be great to add such support (e.g. by (1) letting the platform know whether or not the authenticator has a UI and (2) by letting the platform retrieve a list of credentialIDs from the authenticator - after user verification). If we feel that this is too much of a heavy lifting at this stage, we should at least document the supported scenarios and the limitations. At this stage it is not very obvious for a reader. -- GitHub Notification of comment by rlin1 Please view or discuss this issue at https://github.com/w3c/webauthn/pull/498#issuecomment-319595322 using your GitHub account
Received on Wednesday, 2 August 2017 07:46:41 UTC