Re: [webauthn] Provide an explicit way to opt out of multi-device syncing/backups (#1714)

@emlun No. They are not. The author of the feature themself, quote stated "These are hints, not security properties."

Second the UV flag checks are another problem unto themself, especially because *preferred* doesn't require an RP to check the UV flag, and so many RP's do not. There is also no guidance to direct RP's to store the state of UV from an initial registration to ensure it's consistent (And ctap2.0 breaks this anyway because it forces UV even under discouraged, but then will never UV during auth).



-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1089461506 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 5 April 2022 22:42:42 UTC