- From: Lucas Garron via GitHub <sysbot+gh@w3.org>
- Date: Wed, 10 Feb 2021 01:18:09 +0000
- To: public-webauthn@w3.org
> > In that case, the RP cannot create a new registration without the risk of silently invalidating old registration. > > Don't understand. Why would existing registration will not suffice? And if a new credential is created somehow, then that credential will work. > > > > Sorry, don't understand the need for it. Once a credential is created, RP should check for `uv` bit to figure out whether that credential can be used for passwordless flows. And in .get() call you pass all the credentials which are `uv` capable to the authenticator if you are doing the with-username flows. We [don't know](https://github.com/w3c/webauthn/issues/1567) which existing registrations are a discoverable credentials and/or platform authenticators. In particular, there is no way to tell from a successful `get` response whether the authenticator be detected by `isUserVerifyingPlatformAuthenticatorAvailable()` in a fresh browser profile, right? I own at least one user-verifying authenticator that is not a platform authenticator, and Yubico has already announced they will sell one. > Windows don't store the request details, so we don't know. That's good to know! -- GitHub Notification of comment by lgarron Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-776360122 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 February 2021 01:18:10 UTC