I do not believe a separate AAGUID is necessary for Passkey-like solutions (where the private-key and credential are portable across devices); there is an easier solution available within the protocol. I recommend that one of the bits in [_authenticatorData_](https://www.w3.org/TR/webauthn-2/#authenticator-data) - say, Bit 3 - be used to indicate that the credential with its private-key is portable across devices/authenticators. If Bit 3 is set, the credential and its private-key **are** portable across devices; if it is NOT set, the credential and its private-key are bound to the device on which the key-pair was generated. Regardless of AAGUID, an RP will be able to determine, at registration time, whether the credential and its private-key are device-bound or portable. This is easier and faster than having to process an extension (which will also carry additional baggage in the registration response from the authenticator). -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1017558439 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Thursday, 20 January 2022 14:24:18 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC