Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151) from Firstyear via GitHub on 2021-08-19 (public-webauthn@w3.org from August 2021)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Thu, 19 Aug 2021 23:25:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-902317083-1629415521-sysbot+gh@w3.org>

> > especially once you consider non-homogenous authenticator classes that webauthn by design can't mix/match
> 
> Would you like to elaborate on this? This is definitely not an intentional design goal, if I understand correctly what you mean.

I have a write up on the topic here:

https://github.com/kanidm/webauthn-rs/blob/master/designs/authentication-use-cases.md

the tl;dr is you can't mix verified and un-verified credentials, or resident/non-resident credentials. The UI must always perform pre-selection to help select what challenges can be sent to navigator.credentials.get. So even if devices can share credentials, there still is an expectation on RP's to implement a UX to do filtering of what can proceed. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-902317083 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 19 August 2021 23:25:24 UTC