W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2019

[webauthn] Add notion of forbidding resident credential creation (#1149)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Tue, 29 Jan 2019 01:15:17 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-404078671-1548724516-sysbot+gh@w3.org>
equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== Add notion of forbidding resident credential creation ==
Today, when making a credential, an RP can specify that they either require a [(client-side) resident credential](http://w3c.github.io/webauthn/#resident-credential), or that they can live with either that or the alternative server-side resident credential (think U2F). 

Thinking forward to how we’d like to migrate users with security keys to the “resident credential” world (and thus enabling password-less and typing-free flows), we propose that we add an additional value to the [`requireResidentKey`](http://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-requireresidentkey) parameter during Create. With this, we’ll end up with ResidentCredential being one of three values: `{Required, Preferred, Forbidden}`:

`Required` maps to the current setting of [`requireResidentKey = true`](http://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-requireresidentkey), explicitly requiring the authnr to create a [resident credential](http://w3c.github.io/webauthn/#resident-credential).

`Preferred`, indicates that the RP prefers to create a [resident credential](http://w3c.github.io/webauthn/#resident-credential), but would also be fine with a non-resident credential (aka "[server-side cred](http://w3c.github.io/webauthn/#server-side-credential-storage-modality)"), if that’s the only thing the authenticator supports. Presently, [`requireResidentKey = false`](http://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-requireresidentkey) largely maps to this.

`Forbidden` will map to a new, explicit sense of “false”&mdash;it’s better defined&mdash;it means that the authenticator must explicitly create a [server-side resident credential](http://w3c.github.io/webauthn/#server-side-credential-storage-modality). 

See also:  [Credential Storage Modality](http://w3c.github.io/webauthn/#sctn-credential-storage-modality) and [Authenticator Taxonomy](http://w3c.github.io/webauthn/#sctn-authenticator-taxonomy)



Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1149 using your GitHub account
Received on Tuesday, 29 January 2019 01:15:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:01 UTC