[webauthn] Consider dropping requirement for TUP on create()

balfanz has just created a new issue for https://github.com/w3c/webauthn:

== Consider dropping requirement for TUP on create() ==
Currently, the spec requires that Authenticators test for user presence when creating a new keypair. 

The user experience on existing platforms (TouchID on iOS, Fingerprint on Android) for equivalent use cases (turn on TouchID for Amazon orders, turn on TouchID when logging into Mint, etc.) does not do this - it's often a simple switch in the apps' UI.

We should go with the Industry standard here and allow RPs to turn on FIDO authentication (i.e., call create()) without a test of user presence. If an RP really wants this behavior (not register a key unless the user is present, it can call create(), followed by get() (which will continue to require TUP), before it registers the generated key).

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/564 using your GitHub account

Received on Thursday, 14 September 2017 22:36:24 UTC