Re: [webauthn] Cross-origin credential creation in iframes (#1656)

Please forgive my lack of intimate knowledge about the payments ecosystem, Natalie (@ncthbrt). There are many terms in your use-case that are not clear to me.

> Allow the user to sign in to one or more **institutions** 

Are you referring to the Merchant, PSP or the Issuer, here?

> from their **device**. 

Are you referring to their mobile device, desktop/laptop or Security Key (aka FIDO Authenticator) here?

> This typically entails entering **credentials** 

Which credentials are you referring to here? For passwordless FIDO/WebAuthn authentication, there is nothing for the Consumer to type in.

> Note: Storing these credentials is NOT what we we want to use the WebAuthn API for.

The RP that registers a FIDO/WebAuthn credential is required to store some credential-related information - these are not secrets, but some information _has_ to be stored to verify assertions - otherwise, there is no point in using FIDO.

The remaining statements in your flow will become clearer once the meaning of the terms above are clarified.

-- 
GitHub Notification of comment by arshadnoor
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1656#issuecomment-892998260 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 4 August 2021 21:49:53 UTC