Re: [webauthn] Add notion of forbidding resident credential creation (#1149)

@christiaanbrand: Practically, You have the semantics that you want from `discouraged`. I am assuming that you don't want it to prompt for PIN for  **_external authenticators_**.  I am also assuming that you don't want that from Windows Hello?

By and large, we agreed on that for non-resident keys on external authenticators. But that is not an absolute guarantee from CTAP spec. That still depends on how authenticator wants to differentiate themselves. CTAP spec allows them to do **_more_** than asked for.

Practically speaking, when you set it to `discouraged`, a single link will work for Platform authenticator (like windows hello where we will always ask for user verification) and external authenticators (where for non-resident keys, you will not have a PIN).

`Discouraged` value really works for almost all the cases.

Instead of renaming, we can add another value of `forbidden` if that's what you want. Setting it to `forbidden` will not work for 'Windows Hello' and also for **_some_** external authenticators who will distinguish themselves and will always ask for user verification. And CTAP spec allows them to do **_more_** than asked for. Platform will have to NOT allow such users/Authenticators for the request. I am not sure whether you want to NOT allow such authenticators. 

Did I clear the confusion? 



-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1149#issuecomment-501467676 using your GitHub account

Received on Wednesday, 12 June 2019 21:48:48 UTC