- From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
- Date: Thu, 20 Jan 2022 15:07:20 +0000
- To: public-webauthn@w3.org
A couple of things: - "passkey" itself is not a "thing" from a spec standpoint. We shouldn't use this term at all in the context of the WebAuthn specification. For the sake of this discussion, let's use "multi-device WebAuthn credential" and "single-device WebAuthn credential". A "multi-device WebAuthn credential" can also optionally have a hardware-bound device key. - WebAuthn does not mandate that a key must be hardware bound today (in other words, it does not mandate a single-device WebAuthn credential). So mandating support for an extension that provides a hardware-bound secondary key, is a bit odd. - Today, if you do not request attestation, you have no guarantees about the authenticator. Tomorrow (multi-device WebAuthn credentials are enabled), nothing changes. With all that being said, we are considering a mechanism to allow the authenticator to convey whether a credential is "durable" (e.g. you are safe to migrate the user away from a password or other methods) and potentially also whether the credential is allowed to move across devices. For example, you could have a credential that is allowed to move across devices, but it still remains on only one device, so it is not yet "durable". -- GitHub Notification of comment by timcappalli Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1017602988 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 20 January 2022 15:07:21 UTC