[webauthn] How "preferred" is a "preferred" resident key (#1463)

christiaanbrand has just created a new issue for https://github.com/w3c/webauthn:

== How "preferred" is a "preferred" resident key ==
Now that we have the residentKey tri-state {discouraged, preferred, required} implemented, we should define what "level of preferredness" preferred actually means so that users have a consistent experience across client platforms.

There are multiple options:
i) We’ll always create a resident key, even if we have to guide the user in setting up a PIN first.
ii) If internal-UV or a PIN is already configured, we’ll prompt for a PIN / do UV and, if successful, create a resident key.

I'd like to vote that we do (i) where possible, and on devices (such as phones where we can't guide the user through PIN setup today) we do (ii), but with the intent to move to (i) in the long run.

What do folks thinks about this? Can we make a PR to tighten this up in the spec?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1463 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 31 July 2020 20:27:27 UTC