- From: David Waite via GitHub <sysbot+gh@w3.org>
- Date: Wed, 13 Mar 2019 23:52:12 +0000
- To: public-webauthn@w3.org
Since an authenticator could decide to give a resident credential in place of a non-resident credential, this is almost a misnomer in the spec itself. What the relying party really cares about is whether an assertion can be made within the UX the party wants. Thinking of this as a list of behaviors, to register a credential which either: 1. works without a handle presented in an allow list, as a primary factor 2. requires a handle in the allow list, as a secondary factor 3. prefers a credential which works without a handle, which will work as a primary factor. A secondary factor credential can be registered as well. This does mean that in case 2, the credential must not be presented as an option if a request is made without the corresponding handle being presented in an allow list. And in case 3, the relying party must know whether a handle is required or not for creating assertions in the future. I suspect there isn't a usability case for forbidding authenticators from creating resident credentials, because a resident credential is a superset usage-wise compared to a non-resident one. -- GitHub Notification of comment by dwaite Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1149#issuecomment-472650713 using your GitHub account
Received on Wednesday, 13 March 2019 23:52:13 UTC