Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

> what is the spec's recommendation for enabling the new phone on all of the existing accounts (,, etc)?
The WebAuthn specification doesn't have any recommendation for this flow, it would be up to the authenticator vendor (Apple, Google, Samsung, etc) to provide a secure method for the transference of key material. This doesn't mean the specification _couldn't_ help define this however, for example there could be a WebAuthn extension to help facilitate this, but  realistically this would be something handled by the vendor. 

> My understanding from the thread is that this might be something outside of the specification and is the authenticator's reliability.
That's my understanding as well

>  Does FIDO2 provide a recommendation for which approach an authenticator app should take?
No, or at least not at this time. Personally I think this should be something defined by the authenticator vendors. As far as I know the only hardware vendor to write anything about this topic is Yubico with their work on the account recovery extension .

GitHub Notification of comment by nicksteele
Please view or discuss this issue at using your GitHub account

Received on Tuesday, 7 July 2020 03:52:19 UTC