- From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
- Date: Thu, 12 Aug 2021 14:10:30 +0000
- To: public-webauthn@w3.org
@dwaite regarding #3, today, when a platform authenticator is registered as a "trusted device" for step up, it is ultimately trusting the app A platform that uses device-scoped DPKs can offer a better user experience across apps using the same RP. Example: I start my interactions with github.com in the browser A by authenticating with a passkey. The RP does not recognize this DPK and requires a step up / second factor. Now I use the GitHub app and present my passkey again. Since the RP sees the same DPK again, no step up / second factor is required. I then open browser B and authenticate to github.com with my passkey and again I'm not required to step up as the RP recognizes the DPK. Platforms may provide users the ability to reset the device key as part of their credential management UI. Some platform vendors do not believe the DPK should be shared between apps/contexts. This resulted in the compromise proposed as part of this issue where the platform can signal what the DPK represents. I should also note that RPs who do not require a hardware bound device key, do not need to request a DPK. I imagine that some platforms will not mint new DPKs until they are requested by an RP. -- GitHub Notification of comment by timcappalli Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1658#issuecomment-897672612 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 12 August 2021 14:10:31 UTC