Re: [webauthn] backup states in authenticator data (#1695)

> The platforms might decide whether the new device is capable of restoring the backup credential? Is there any policy for this? RP might want to enforce 2FA (with UV) and so it requires UV for the registration/authentication. If the generated credential is BE (backup eligible) and then restored from the new device, then still we can make sure that the credential is protected by UV? Or, is it possible that the credential is restored but the UP is only supported on the new device?

Wouldn't this also imply a change in the attestation chain of the credential when it's restored since it's on a different piece of hardware that has different UV capabilities? 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1695#issuecomment-1109218401 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 26 April 2022 02:01:41 UTC