W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2019

Re: [webauthn] Add notion of forbidding resident credential creation (#1149)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Feb 2019 19:06:41 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-461147108-1549480000-sysbot+gh@w3.org>
If resident forbiddin is the third option then setting that would not work with some platform authenticators that always make resident credientials.   
That will cause RP to always ask for preferd to be the most compatable.
If all RP allways ask for preferd external authenticators will fill up with resident connections afer the first x sites. Then only be able to make non resident credentials untill the user uses a credential management UI to delete a credential.  

I would rather have a default that lets the authenticator decide and report the credential type to the RP.
That lets RP who don't care about using browser side credental selection, get something that can work passwordless in a identifier first flow but not create needlessly bad user experiences as a side efect.

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1149#issuecomment-461147108 using your GitHub account
Received on Wednesday, 6 February 2019 19:06:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:02 UTC