[webauthn] Return authentication method used for platform types (#1373)

gcbenjamin has just created a new issue for https://github.com/w3c/webauthn:

== Return authentication method used for platform types ==
Is there currently any way of distinguishing in the response from the API what platform authentication method was used? For example, was fingerprint used on the android device or was fingerprint bypassed to use the devices PIN instead? Did fingerprint fail and PIN was used? (I'm guessing its the same for FaceId but I'm yet to test FaceId).

Use case: I'm a parent and my kids know my pin. Why? Just ask 99% of parents with small kids...... My website is implementing WebAuthN and contains sensitive data (like credit card). By allowing WebAuthN my site is now far LESS secure than a traditional password. You could argue that you should keep your device PIN as secret as a password but in reality that is not the case.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1373 using your GitHub account

Received on Thursday, 13 February 2020 03:57:00 UTC