Re: [webauthn] devciePubKey extension MUST be supported if passkey is supported (#1691)

> An RP can still continue using security keys (single-device passkeys) as well as platform authenticators that support single-
>device passkeys.

No.

For consumer use cases, security keys are difficult to address millions of consumers. RPs want to use smartphones for many consumer use cases. RPs are already deploying webauthn with smartphones for many consumer use cases. Some of them already have tens of millions smartphones supporting it -- actually we are one of them. 

But some of these RPs cannot accept passkeys or "multi-device WebAuthn credential" without devicePubKey due to security reasons. For example, some of their consumer accounts are linked with each customers' bank accounts to enable them to do financial transactions. This model is already working very well with many RPs that have already deployed webauthn with smartphones such as iPhone and Android.

If a device that generates passkeys or "multi-device WebAuthn credential" but not supports devicePubKey, then these RPs have no choice but to give up deploying WebAuthn. This is the reason. 


-- 
GitHub Notification of comment by maxhata
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1019438004 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Sunday, 23 January 2022 08:32:12 UTC