Re: [webauthn] devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used (#1691)

> ...when invoking get() for authentication, if the assertion is coming back from 1) an already accepted device or 2) an new (unknown) device.

Well, we _are_ talking about a browser API...would a cookie be an unacceptable way of gauging whether the `.get()` call is from a new device or not?

Something like this:

> When the user's browser sends the `.get()` response to your server you can check, was the `authed-on-this-device-before` cookie set?
> If so, then this device can be trusted. Allow the auth to proceed.
> If not, then confirm the auth is legitimate (i.e. uses a previously-registered credential belonging to a valid user account) but then force the user to provide more information to satisfy the risk engine. Upon successful auth set a long-lived, `HttpOnly` `authed-on-this-device-before` cookie.

So long as the cookie is long-lived and refreshes on subsequent auths then the user will only ever have to provide that extra info the next time they log into a new device.

GitHub Notification of comment by MasterKale
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Tuesday, 25 January 2022 15:17:03 UTC