- From: Arshad Noor via GitHub <sysbot+gh@w3.org>
- Date: Tue, 17 Nov 2020 13:54:05 +0000
- To: public-webauthn@w3.org
arshadnoor has just created a new issue for https://github.com/w3c/webauthn: == Making PublicKeyCredentialDescriptor.transports mandatory == When John Doe registers a new key with an RP, using a platform authenticator on a computing device, his newly generated private key is bound to that platform authenticator on that computing device. Clearly, when he attempts to authenticate to the RP site from _another_ computing device, he is not going to succeed. The [_transports_](https://www.w3.org/TR/webauthn-2/#enum-transport) member of PublicKeyCredentialDescriptor, has the ability to signal the RP that the registered key was generated from an **_internal_** authenticator (as opposed to one using transport protocols of external authenticators, namely: _usb,_ _nfc_ or _ble_). Since _transports_ is currently OPTIONAL, it prevents the RP from properly signaling John Doe in the use-case defined above: that, in order to authenticate with his FIDO key to the RP site, he must use the original computing device - or use an alternate method to login into the RP's site. Secondly, if the RP knew that John Doe has a second registered credential, whose _transports_ identified one of _usb_, _nfc_ or _ble_, it would also allow the RP to suggest he use that external authenticator to login to the RP site. But since _transports_ is currently optional, this information is not consistently available to the RP. It is recommended to make _transports_ mandatory, have RPs store them on the FIDO server, and use that information within their applications to present messages that provide a better user experience. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1522 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 17 November 2020 13:54:06 UTC