- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 29 May 2020 17:37:29 +0000
- To: public-webauthn@w3.org
If an account is to be accessible only via WebAuthn authentication, then yes indeed, you will at some point need to connect two authenticators to the same client device if you want to register both of them. There's some work towards recovery solutions and using platform authenticators via Bluetooth. Ultimately, though, this is a question about the RP's and/or user's security policy, not really about the WebAuthn authentication mechanism. >the possibility that some of my (backup) authenticators can't be registered with a standard compliant service, because another authenticator that can't be connected is already registered I'm not sure what you mean by this. There's nothing in the spec that says RPs should limit how many authenticators a user can have - in fact, it [recommends the opposite](https://www.w3.org/TR/webauthn/#credential-loss-key-mobility): >Relying Parties SHOULD allow and encourage users to register multiple credentials to the same account. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1429#issuecomment-636096893 using your GitHub account
Received on Friday, 29 May 2020 17:37:31 UTC