- From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
- Date: Thu, 15 Apr 2021 02:53:44 +0000
- To: public-webauthn@w3.org
> How should this work if a user is logging in from a brand-new browser profile? If you say about the case where is no client (browser) side information about the credential, why not just identifying the user first and then try to get associated credentials from the server? > At GitHub, we want to make trusted device functionality available to as many people as possible, so it will not be tied directly to 2FA. Most users will still only need a password to log into a new browser profile, even if they have registered a trusted device. When such a user logs in, we don't learn which/if any of their registrations are available in that browser/device. First of all, when you introduce to allow for users to register the platform authenticator, you should store such information. Without such information, RP would be hard to make a decision in an authentication flow. While adopting WebAuthn, supporting different types of authenticators and polices are hard and even it would be disaster. - RK and/or NRK - Platform and/or cross-platform - Usernameless and/or passwordless My idea about your situation is - When deploying trusted device feature, you only allow the trusted device feature for the user who start to register the platform authenticator (with attachment) and store that information in the server side. - If there is no ambient credential (maybe fresh browser or cookies are cleared), you just prompt normal authentication process with password. Then, RP can get associated credentials for that user and search credentials for platform authenticator and ask for the user authentication with those credential in the allowList. - If the user successfully is authenticated with platform authenticator credentials, you create ambient credential for this browser - If you get an error saying there is no such credential in this device (platform), ask for the user to register the platform authenticator. -- GitHub Notification of comment by Kieun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-820019353 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 15 April 2021 02:53:46 UTC