Re: [webauthn] Registering multiple devices without common interfaces (#1429)

>What I meant is a theoretical scenario where you have registered a device as authenticator and the device itself does not support any form of roaming authenticator (no USB, Bluetooth, NFC, etc.). How would you be able to register another device if there a no token that you can use to bridge the gap between the devices?

Correct: you wouldn't be able to. You would have to relax authentication requirements (if the RP allows it), transplant/delegate the session, or authenticate by some other mechanism.

>But now you can't register the first one again.

That's not necessarily true - it would depend on the RP's implementation and/or security policy.

>I still wonder if there are any plans for the future

Sorry, there are not. However: unless the RP restricts allowable authenticators via attestation (which few RPs are likely to do), there's nothing stopping users from using authenticators (say, browser extensions) that allow exporting/importing credentials.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Friday, 5 June 2020 15:14:52 UTC