W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

Re: [webauthn] Surface platform authenticator status in the `create` response / help RPs track UV/PA/RK (#1567)

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Feb 2021 12:18:49 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-776668858-1612959528-sysbot+gh@w3.org>
> How safe is it to assume that internal means platform authenticator?

"Internal" means platform authenticator. However, mobiles can also act like a roaming authenticator. So in that case, in addition to "internal", they will also include other transports. Overall it is a **_hint_** for the platform, and RP should store it and pass it back to the platform. However, they should not rely on exact implementation behavior, as those are actually hints. 

> is it desirable that the API only allows indirect access to authenticator UV/PA/RK, and using different opt-in mechanisms? 

I would be against allowing certain authenticators and not others, if that's what you are asking. In a way, specifying attachment=platform property limits one to platform authenticators, but that was for a special case for registration. For authentication, intentionally, there is no attachment property as a platform can be interacted via other mechanisms.

-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1567#issuecomment-776668858 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 February 2021 12:18:51 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 10 February 2021 12:18:52 UTC