W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2022

Re: [webauthn] Enforce backup eligibility during assertion (#1791)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 30 Aug 2022 12:29:40 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1231600230-1661862578-sysbot+gh@w3.org>
I agree that it's probably good to set an explicit standard for how RPs should react if `BE` changes, or if `BE=0, BS=1`, to encourage consistent behaviour between services.

I'm not sure what that should be, though. The user probably has little insight on, let alone control of, the flags, so rejecting the assertion or even revoking the credential seems unfair to the user. But if things don't break, there's little incentive for authenticator vendors to implement the flags correctly. But if things do break, there is incentive for RPs to ignore the recommendation to make their user experience more pleasant.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1791#issuecomment-1231600230 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 30 August 2022 12:29:42 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 30 August 2022 12:29:43 UTC