Re: [webauthn] How "preferred" is a "preferred" resident key (#1463)

> Is this about Android devices?

It's a question about external authentications for now since Android does not yet support discoverable credentials. The behaviour on Android would also be out of the control of the browser since it's not the browser driving PIN set up on Android.

> I'm assuming that discoverable credentials are only useful when they can provide two factors in themselves.

Another factor to consider is that sites switching from the traditional, U2F-style flow, to one based on discoverable credentials, would presumably still be setting uv=discouraged in the `create` call because, for user-agents that are still on WebAuthn level one, they still want the old behaviour. Thus the suggestion (i) in the first message would mean that rk=preferred also overrides the uv specification — which is fine, but also something that I think we should pin down.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1463#issuecomment-667763235 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 3 August 2020 01:55:48 UTC