Re: FacetID equivalent for WebAuthn?

Thanks again Adam.

Is this the iframe spec you are referring to:

The situation looks pretty bleak from where I stand. I am surprised that
this is not coming up as an issue. Was there a concrete reason to stop
supporting FacetID? Lack of interest?

On Thu, Jul 18, 2019 at 3:59 PM Adam Langley <> wrote:

> On Thu, Jul 18, 2019 at 3:08 PM Marius Scurtescu <
>> wrote:
>> How is a multi-domain deployment supposed to work with WebAuthn? And by
>> multi-domain I mean domains that don't match: and
>> One solution that was suggested is to always redirect to the IdP, so
>> there is not need for multiple domains. That might work for login, but when
>> WebAuthn is used as a re-authentication challenge then a full page redirect
>> becomes very difficult to implement, especially for an existing application.
> WebAuthn credentials are tied to an RP ID, which is a domain name. There
> is not support for “groups” of domains being acceptable for a credential.
> Redirecting (with suitable care) is possible, somewhat similar to OAuth.
> There is also (currently) unimplemented spec for granting iframes WebAuthn
> abilities, in which case postMessage can be used. Implementation priorities
> are set by need and, currently, nobody is making a fuss about the lack of
> iframe support so it's not on the roadmap.
> Cheers

Received on Friday, 19 July 2019 00:49:48 UTC