- From: Shane Weeden via GitHub <sysbot+gh@w3.org>
- Date: Thu, 27 Jun 2019 06:49:34 +0000
- To: public-webauthn@w3.org
So my take on @christiaanbrand 's requirement is that this is how things *should* behave today (even in L1) if navigator.credentials.create is called with requireResidentKey=false (or absent, since that's the default), and userVerification=discouraged. The simple fact though is that this isn't how all browser+authenticator combinations behave - the behaviour is inconsistent across browsers (CTAP1 vs CTAP2) and when using platform vs roaming authenticators, and even changes depending on some roaming authenticator's enabled capabilities (if a PIN is set vs not set). I don't think a functional spec change is really required or desirable but I do think it's worth getting the editors to weigh in on whether or not they concur that the combination of modifiers I have suggested should result in the requested behaviour. If so, then the spec could provide specific direction regarding same. -- GitHub Notification of comment by sbweeden Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1149#issuecomment-506216331 using your GitHub account
Received on Thursday, 27 June 2019 06:49:36 UTC