Re: [webauthn] Clarify meaning of UVI

1) What are RPs expected to do when UVI matches a previous version? 
If it matches a set of previously seen UVI values that are tied to the legitimate user, the RP has strong assurance that the same user approved the action.  So all RPs (including the ones that care about "friendly fraud") could accept the action.

2) What are they expected to do when they don't match?
RPs that care about "friendly fraud" should be aware that it is likely a different person that has authorized the action on the device which is also used by the legitimate user.

Note: RPs can use the "user identity binding" approaches (that are also used for the initial authenticator registration) to allow users "registering" multiple UVI values.

-- 
GitHub Notification of comment by rlin1
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/156#issuecomment-321182215 using your GitHub account

Received on Wednesday, 9 August 2017 07:56:25 UTC