- From: Chad Killingsworth via GitHub <sysbot+gh@w3.org>
- Date: Sat, 25 Jan 2020 15:24:36 +0000
- To: public-webauthn@w3.org
Just to make sure we are talking about the same thing: 1. I do split the username to a separate step to allow for a check for authn support first. 2. I see usb keys and other cross platform authenticators as a 2nd factor authentication only. 3. I use platform authenticators as a first factor authentication only after a traditional authentication with username, password followed by a 2nd factor auth of some sort has fully authenticated the user. Subsequent authentication can then use webauthn platform authentication as the the only factor. The problem comes that I can't automatically test for the webauthn flow without some upfront knowledge. I could have a separate button on the username form and let the user decide, but I see that as requiring a huge amount of user education and I do not believe it will have substantial impact on phishing. With these current restrictions I just don't see webauthn being usable for primary factor authentication unless username enumeration is permissible. -- GitHub Notification of comment by ChadKillingsworth Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356#issuecomment-578415163 using your GitHub account
Received on Saturday, 25 January 2020 15:24:38 UTC