W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2020

Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

From: Ali-Amir Aldan via GitHub <sysbot+gh@w3.org>
Date: Tue, 07 Jul 2020 03:04:13 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-654570755-1594091052-sysbot+gh@w3.org>
I am a bit confused about a multi-device multi-website scenario and was wondering if someone could help me out with that:

A user uses their phone as their key and they are registered on a lot of websites with this phone (abc.xyz, example.com, etc) via some FIDO2 compliant authenticator app. At some point they will upgrade their phone (get a newer Pixel/iPhone/etc) and at that time what is the spec's recommendation for enabling the new phone on all of the existing accounts (abc.xyz, example.com, etc)?

There are approaches that an authenticator app could take to address that such as "securely" migrating existing credentials to the new device or user forcing the user to manually add the device to the websites. But does FIDO2 provide a recommendation for which approach an authenticator app should take? My understanding from the thread is that this might be something outside of the specification and is the authenticator's reliability. But this seems like very common use case and it would be great to have a recommendation (unless it's already there and I missed it).

GitHub Notification of comment by Ali-Amir
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-654570755 using your GitHub account
Received on Tuesday, 7 July 2020 03:04:15 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:41 UTC