- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Mon, 09 Aug 2021 23:29:55 +0000
- To: public-webauthn@w3.org
To give an example: Modern sign-in systems are risk-analysis systems that ingest a lot of signals before deciding whether to allow a sign-in. (And, usually, continue to collect risk signals even after allowing a sign-in and have the ability to revise their opinion.) Say that a sign-in request appears with a geolocation that has not been seen for this account before, and is outside of the typical working hours observed for the account. The risk may be deemed high enough not to allow the request, even with a synced credential. But if a device-bound signature can also be presented and it's a device-bound key that is well established for this user, then that may tip the balance. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1658#issuecomment-895619435 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 9 August 2021 23:29:56 UTC