Re: [webauthn] Add notion of forbidding resident credential creation (#1149)

If the goal is RP UX that prevents asking for a PIN, the change should be in WebAuthn - to forbid creating credentials that will require a PIN (or perhaps any form of UV) at authentication time.

Correct me if I'm wrong - CTAP is important, but it does not preclude other roaming authenticator specifications in the future, and also does not dictate platform authenticator behavior. It also isn't the spec that a RP should be looking at for WebAuthn API behavior.

GitHub Notification of comment by dwaite
Please view or discuss this issue at using your GitHub account

Received on Thursday, 13 June 2019 04:02:38 UTC