W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2020

Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

From: Nick Steele via GitHub <sysbot+gh@w3.org>
Date: Tue, 07 Jul 2020 03:52:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-654582877-1594093936-sysbot+gh@w3.org>
> what is the spec's recommendation for enabling the new phone on all of the existing accounts (abc.xyz, example.com, etc)?
The WebAuthn specification doesn't have any recommendation for this flow, it would be up to the authenticator vendor (Apple, Google, Samsung, etc) to provide a secure method for the transference of key material. This doesn't mean the specification _couldn't_ help define this however, for example there could be a WebAuthn extension to help facilitate this, but  realistically this would be something handled by the vendor. 

> My understanding from the thread is that this might be something outside of the specification and is the authenticator's reliability.
That's my understanding as well

>  Does FIDO2 provide a recommendation for which approach an authenticator app should take?
No, or at least not at this time. Personally I think this should be something defined by the authenticator vendors. As far as I know the only hardware vendor to write anything about this topic is Yubico with their work on the account recovery extension .

-- 
GitHub Notification of comment by nicksteele
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-654582877 using your GitHub account
Received on Tuesday, 7 July 2020 03:52:19 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 7 July 2020 03:52:20 UTC