Re: [webauthn] Prevent browsers from deleting credentials that the RP wanted to be server-side (#1569) from Lucas Garron via GitHub on 2021-02-10 (public-webauthn@w3.org from February 2021)

From: Lucas Garron via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Feb 2021 20:16:17 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-776997996-1612988176-sysbot+gh@w3.org>

> There are many user-verifying authenticators that are not a platform authenticators and Yubico already sells one. May be you are confusing fingerprint based authenticators with user-verifying based authenticators. user verifying authenticators also consists of authenticators which are local PIN based.

I *believe* understand the UV/PA/RK properties well enough.

My point is more that the API does not allow us to distinguish PA/RK for existing registrations, especially if we did not save transport data. So if we wanted to enforce UV+PA for new registrations, we wouldn't know which old registrations satisfy it.

-- 
GitHub Notification of comment by lgarron
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-776997996 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 10 February 2021 20:16:19 UTC