Re: [webauthn] Multiple Authenticator Options and Policies (#1601) from Emil Lundberg via GitHub on 2021-04-23 (public-webauthn@w3.org from April 2021)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 23 Apr 2021 18:47:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-825851844-1619203636-sysbot+gh@w3.org>

Yes, RPs typically do not dictate what kinds of UV the user may use, rather the user may choose through their choice of authenticator. The RP may limit the user's options by enforcing an attestation policy of acceptable authenticators. Apart from that, might your UV method concerns be covered by the [`uvm` extension](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#sctn-uvm-extension)?

PIN policy seems to me like it's also best handled via attestation policy, as attestation would be required anyway for the RP to trust that the authenticator honestly enforces the PIN policy. For example, I think FIDO certification requires some level of PIN complexity enforcement.



-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1601#issuecomment-825851844 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 23 April 2021 18:47:19 UTC