Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510) from Shane Weeden via GitHub on 2020-11-04 (public-webauthn@w3.org from November 2020)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Wed, 04 Nov 2020 20:21:27 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-721954578-1604521286-sysbot+gh@w3.org>

The residentKey parameter (which supersedes requireResidentKey boolean) introduces the "preferred" semantic which is new in the spec for L2. The credProps extension may be used in conjunction, and is designed to tell the RP what was actually provisioned (a resident/discoverable credential, suitable for a usernameless login scenario or a non-resident credential suitable for second-factor). This allows the RP to then guide the user experience, e.g. to inform the user as to what scenarios they can use their new credential to achieve. 

The uv policy is orthogonal to this, however if setting residentKey=preferred I would always also set uv=preferred as there is no point in provisioning a resident/discoverable credential that you want to use in a username-less login scenario without uv.

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1510#issuecomment-721954578 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 4 November 2020 20:21:28 UTC