W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2020

Re: [webauthn] Registering multiple devices without common interfaces (#1429)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 05 Jun 2020 15:14:51 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-639557762-1591370090-sysbot+gh@w3.org>
>What I meant is a theoretical scenario where you have registered a device as authenticator and the device itself does not support any form of roaming authenticator (no USB, Bluetooth, NFC, etc.). How would you be able to register another device if there a no token that you can use to bridge the gap between the devices?

Correct: you wouldn't be able to. You would have to relax authentication requirements (if the RP allows it), transplant/delegate the session, or authenticate by some other mechanism.

>But now you can't register the first one again.

That's not necessarily true - it would depend on the RP's implementation and/or security policy.

>I still wonder if there are any plans for the future

Sorry, there are not. However: unless the RP restricts allowable authenticators via attestation (which few RPs are likely to do), there's nothing stopping users from using authenticators (say, browser extensions) that allow exporting/importing credentials.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1429#issuecomment-639557762 using your GitHub account
Received on Friday, 5 June 2020 15:14:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 5 June 2020 15:14:53 UTC