- From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
- Date: Thu, 17 Jan 2019 01:40:49 +0000
- To: public-webauthn@w3.org
@herrjemand Thanks for pointing out the related docs. When I tried to test requrieResident key feature with Edge and Windows Hello (PIN), I can create the key with default value (false) and the generated key can be used in username-less flow (empty _allowCredentials_). So, I am thinking that browsers do not filter out the authenticator that only supports _RK_ when _requireResidentKey_ is false and the authenticator maintains the credential in the client side. So, for supporting this, RP should set _requireResidentKey_ is true for the creation and handle error than try with _requireResidenKey_ as false. This is very bad UX for the user and it is hard to handle. If RP wants support various scenarios (username-less, first-factor, second-factor and etc) depending on the authenticator types, it is better for RP to get the authenticator types (rk, uv, up and etc) during the registration process. -- GitHub Notification of comment by Kieun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1060#issuecomment-455010244 using your GitHub account
Received on Thursday, 17 January 2019 01:40:50 UTC