Re: [webauthn] User verification policy leads to ambiguous usage situations. (#1510)

Two suggestions from out of band discussion @Firstyear for non-normative changes that would help RP developers:

1. Step 16 of [Registering a New Credential]( may be best moved to between 21/22 because before that point most implementations won't have access to the credential alg type.

2. An explanatory note for RP developers that there is value in storing against the user's account not just the credential id and public key but also other attributes discovered during the attestation ceremony such as the uv bit from authenticator data, attestation data (if attestation is performed), and any extension data. This will assist RP's in making future policy decisions and determining the best WebAuthn parameters for assertion ceremonies.

Intention is that a future PR (in L3 timeframe) may be submitted to address.

GitHub Notification of comment by sbweeden
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 27 January 2021 20:19:47 UTC