Re: [webauthn] Support a "create or get [or replace]" credential re-association operation (#1568)

> As far as I know, there are no browsers that currently allow users to manage registrations. All the registrations remain forever.

For this, in case of Chrome (maybe Edge as well), you can manage security keys.
But I'm not sure how much of users know this settings when they are using security keys.

I'm agree with this concerns when deploying WebAuthn to large number of customers. If the WebAuthn is mature, the browsers behave same and users are well educated, we can go with username-less flow with resident key no matter of the authenticator attachment. E.g., RP just presents a button saying "authenticate with trusted device". If there is a user session or similar one, RP might leverage that hint for better usability.

At this stage, RP might try to go with password-less flow by asking username first (if there is no hint on the browser side) and then prompt authentication with credential Ids. Depending on the authentication response, RP might ask further authentication factor to meet their security requirements.
But, if the RP's ultimate goal is username-less flow, RPs should decide the policy whether they allow non-resident key, non-user-verifying security key from the beginning, although these authenticators eventually are now allowed at some point.

GitHub Notification of comment by Kieun
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Tuesday, 9 February 2021 10:09:31 UTC