- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Fri, 16 Feb 2018 20:48:24 +0000
- To: public-webauthn@w3.org
I think the following would work? 1. Have the browser send the exclude list down to the authenticators. For any which say `CTAP2_ERR_CREDENTIAL_EXCLUDED`, note them and reissue the command without an exclude list. 1. If the user ends up tapping a different authenticator, great. No problem. 1. If the user selects an excluded authenticator either a) tell the site via an error status or b) prompt the user "You have already registered this authenticator on this site. Really register again?" Option a) lets the site probe for suspected identities, although it only gets a single bit per user action. Option b) solves this problem, but gives the user the power to register an authenticator twice if they wish, which might be crappy if sites are requiring multiple authenticators for a good reason. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/806#issuecomment-366354063 using your GitHub account
Received on Friday, 16 February 2018 20:48:27 UTC