W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2020

Re: [webauthn] Registering multiple devices without common interfaces (#1429)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 29 May 2020 17:37:29 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-636096893-1590773848-sysbot+gh@w3.org>
If an account is to be accessible only via WebAuthn authentication, then yes indeed, you will at some point need to connect two authenticators to the same client device if you want to register both of them. There's some work towards recovery solutions and using platform authenticators via Bluetooth. Ultimately, though, this is a question about the RP's and/or user's security policy, not really about the WebAuthn authentication mechanism.

>the possibility that some of my (backup) authenticators can't be registered with a standard compliant service, because another authenticator that can't be connected is already registered

I'm not sure what you mean by this. There's nothing in the spec that says RPs should limit how many authenticators a user can have - in fact, it [recommends the opposite](https://www.w3.org/TR/webauthn/#credential-loss-key-mobility):

>Relying Parties SHOULD allow and encourage users to register multiple credentials to the same account.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1429#issuecomment-636096893 using your GitHub account
Received on Friday, 29 May 2020 17:37:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 29 May 2020 17:37:32 UTC