Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

@Oloompa This problem is not new to WebAuthn: if a user wants to sign in but has forgotten their password, do you ask them for just their username and let them in anyway? If you lose your house key, do you use an override handle to unlock the door without it?

There is no single answer to your question; it will depend on the security requirements of the service, and perhaps the user.

Some services might just send an account recovery e-mail and call it good enough. Some might lock you out until you recover your authenticator or retrieve a backup authenticator you registered before losing the other one. Some might lock you out but provide some intentionally cumbersome account recovery options (see Google's Advanced Protection, for example). Some users might prefer the risk of getting locked out over the risk of someone abusing account recovery procedures to take over their account.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-571650450 using your GitHub account

Received on Tuesday, 7 January 2020 16:02:22 UTC