- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 22 Jan 2020 21:55:26 +0000
- To: public-webauthn@w3.org
(This was discussed on the call of 2020-01-22.) A browser can't be sure whether a 1st-factor flow is suitable for a given website because users might be authenticating with, for example, a USB token that they insert. In current designs, users register security keys as an additional layer of security and, after that point, they are _required_ for that account to be authenticated, so fallback to passwords alone isn't permitted. (Some sites split the username entry out into a separate step so that they can better guide the authentication based on the exact account that's logging in.) I get that you would like a button that triggers a WebAuthn login if it'll work, and immediately fails if not. But I don't believe that we can provide that given privacy concerns and given that the platform doesn't know what authenticators a user might insert. Overall, the decision on the call was that we don't see an action here, I'm afraid. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356#issuecomment-577404283 using your GitHub account
Received on Wednesday, 22 January 2020 21:55:27 UTC