[webauthn] Registering multiple devices without common interfaces (#1429)

Nesuma has just created a new issue for https://github.com/w3c/webauthn:

== Registering multiple devices without common interfaces ==
I'm wondering how a user could register another authenticator for a service when both devices don't share at least one interface for a roaming authenticator. In #151 OTPs or e-mails are presented as solution to authenticate the user once on the new device without the FIDO2-authenticator, therefore enabling the registration of this new device. This seems useful to me but would create weaknesses.

Is a solution for this in any form planned for the future? I guess that RPs could already implement a feature like this but from a customer viewpoint, with my current knowledge, I wouldn't want to use FIDO2 because of the possibility that some of my (backup) authenticators can't be registered with a standard compliant service, because another authenticator that can't be connected is already registered. Therefore a solution in the specification is needed so that a customer can be sure that they could register all their authenticators for every compliant service.

Having multiple authenticators with different key sets seems like a real usability problem, but phishable OTPs or similar are a security problem. Do users just have to accept that maybe the only solution is to have multiple dongles for specific devices missing an interface? 

FIDO2 wants to be comfortably usable and secure. How?



Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1429 using your GitHub account

Received on Friday, 29 May 2020 08:23:24 UTC