- From: Lucas Garron via GitHub <sysbot+gh@w3.org>
- Date: Thu, 15 Apr 2021 00:22:21 +0000
- To: public-webauthn@w3.org
> Is there something wrong with allowing a user to log in with an existing-credential-that-should-be-re-registered, then forcing the user to re-register it during login? Here's a flow we imagined for re-registering a credential: Hmm, I don't completely follow your flow. Also, it seems you're working off the assumption that we can naturally detect the "credential to re-register" during a normal sign-in flow. But if we could do that, we wouldn't need to re-register it. We could just note what credential was used and continue with Apple's/Google's advice from there. But our problem is that this will *not* always happen during the natural flow. In particular, your suggested flow will ask the user to authenticate even if the authentication is guaranteed to fail — and it's not a good experience if the first thing on a new device is an error dialog that the RP can't even control (i.e. if the browser chooses an explanation for their WebAuthn dialog that is not relevant to this use case, the RP can't do anything about it). There's also the slight technical detail that your suggested flow doesn't guarantee that the new registration replaces the expected old registration on the appropriate client, or that it can be used where the old registration was. -- GitHub Notification of comment by lgarron Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-819932427 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 15 April 2021 00:22:23 UTC