- From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
- Date: Fri, 07 Aug 2020 14:59:04 +0000
- To: public-webauthn@w3.org
> Microsoft had some use cases uv less resident credentials. It was talked about as tap and go.
I don't know how relevant they are to the web. Classic Edge did support that.
We create resident credential with `credProtect` level 1 and `uvRequired`. Such a credential can do Tap and Go in non-web scenarios and 2FA scenarios on the web.
- For Simple roaming authenticators with ClientPIN with/without internal UV.
- clientPIN is a requirement to set internal UV.
- If either form of user verification is setup, platform will use that.
- If nothing is setup, Windows guides user to create a clientPIN for external devices if uv option is preferred or required. If UV is discouraged, we don't setup clientPIN. But we still create a resident key.
- Platform Authenticators
- On platform webauthn
- If no user verification is setup, I was assuming platform authenticator is not present in that case and IUVPAA will return false. @christiaanbrand, Are you saying that webauthn is always present on Android and in that case, you will be making non-resident keys?
- This is different from Windows, where user has to enable Windows Hello explicitly.
- Roaming scenario (Phone as roaming authenticator).
- For Phone like roaming authenticators, who does not support clientPIN and who can do all internal UV itself, if they have uv configured, we will try to create a resident credential with that internal UV for "Preferred" option. If they don't, we as of today still try to create resident keys.
Seems like we need to write down all the combinations between ResidentKeyRequirement and UserVerificationRequirement
--
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1463#issuecomment-670559272 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 7 August 2020 14:59:06 UTC