- From: Lucas Garron via GitHub <sysbot+gh@w3.org>
- Date: Thu, 15 Apr 2021 01:32:15 +0000
- To: public-webauthn@w3.org
> At least , RP should have a knowledge about the registered authenticator so that RP will refer that knowledge to decide user login flow. How should this work if a user is logging in from a brand-new browser profile? At GitHub, we want to make trusted device functionality available to as many people as possible, so it will not be tied to 2FA. Most users will only need a password to log into a new browser profile — [we never learn if/which any registrations are available in that browser/device](https://github.com/w3c/webauthn/issues/1566#issuecomment-782444786). At GitHub, we're planning to use some UA sniffing heuristics to direct the user experience for registration (in the hope that #1568 will offer a better solution some date). > For re-registration issue, the registration is performed after the user account is identified with an authenticated session so that the RP would have the list of registered credentials for that account. So, you can safely exclude the such credentials by populating those credential Ids in the `excludeCredentials` if you ask for the user to register an authenticator. I still have concerns about this: - The RP still has to know which credential is intended to be replaced (which e.g. requires an extra prompt in general). - The RP has no guarantee that the new registration is actually a "re-registration". It's likely to be so (especially for platform authenticators, which tend to be unique per device), but I can definitely think of edge cases. -- GitHub Notification of comment by lgarron Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-819954776 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 15 April 2021 01:32:17 UTC