Re: [webauthn] Provide an explicit way to opt out of multi-device syncing/backups (#1714)

> > The DPK is a device-bound key for use with the multi-device credential as a device signal for risk assessment. It does not replace the multi-device credential.
> RPs are free to ignore it and only use the DPK for all authentication decisions (and out-of-band mechanisms for new device registration) though, right?
> Effectively, this would be a complicated and (for implementations) intransparent way of opting out of syncing.

However, registrations would still be synced. If you as an RP do a new registration when you see a new DPK, you either:

- Are overwriting the existing credential and most likely destroying any existing DPK on all other devices. This will make it so the user must register again next time they use a prior device.
- Are creating multiple authentication choices for the site, most likely presented to the user by the platform in a list or drop-down, with at most one of the listed options leading to success at any given time.

To fix these problems, you need to accept and retain the received assertion, notice the new DPK, do any additional authentication/proofing/fraud deflection steps, and then rather than do a new credential creation, you associate the new DPK with the account and with the original credential.

GitHub Notification of comment by dwaite
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Sunday, 3 April 2022 07:15:11 UTC