- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Sun, 25 Feb 2018 18:11:21 +0000
- To: public-webauthn@w3.org
1. Yes, there will be a different key for each site, but you can register multiple keys with each account. A likely scenario for many users will be to use a built-in authenticator most of the time, but also have an external authenticator for logging in from a new device. After that first login you can register the built-in authenticator in the new device (if it has one) so you don't need the external authenticator for future logins on that device. But "store the credential" was a simplification. What's actually sent back to server is a public key and a _credential ID_. If the authenticator stores the private key, the credential ID will just be a random byte string. But the authenticator may also choose to instead encrypt the private key using an internal encryption key, and send the encrypted private key as the credential ID. In this case the key is actually stored on the server (but note that the server still only sees a blob of random bytes), and can be used by any authenticator with the same internal encryption key. This also means the authenticator has infinite "storage" capacity for such credentials. This is how existing U2F security keys work. Note that in this case it's not possible to use the credential in "first factor mode" as described above, because in that mode the authenticator doesn't get the credential ID from the server. >I vote to this method Web Authentication does not specify the details of how the authenticator creates or stores the keys. Authenticator vendors are free to implement it how they wish, as long as they're compliant, and users are free to choose which authenticators they want to use. 2. Then the credential won't work anymore. The server can "override" the origin as long as it stays within the same domain, though, so `www.youtube.com` can set its origin to `youtube.com` so credentials created there are also usable on `m.youtube.com`. It should actually be possible for authenticators to provide a way to change the domain a credential is bound to, but no such feature is defined in the spec. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/820#issuecomment-368330864 using your GitHub account
Received on Sunday, 25 February 2018 18:11:28 UTC