- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Tue, 25 Jan 2022 15:17:01 +0000
- To: public-webauthn@w3.org
> ...when invoking get() for authentication, if the assertion is coming back from 1) an already accepted device or 2) an new (unknown) device. Well, we _are_ talking about a browser API...would a cookie be an unacceptable way of gauging whether the `.get()` call is from a new device or not? Something like this: > When the user's browser sends the `.get()` response to your server you can check, was the `authed-on-this-device-before` cookie set? > > If so, then this device can be trusted. Allow the auth to proceed. > > If not, then confirm the auth is legitimate (i.e. uses a previously-registered credential belonging to a valid user account) but then force the user to provide more information to satisfy the risk engine. Upon successful auth set a long-lived, `HttpOnly` `authed-on-this-device-before` cookie. So long as the cookie is long-lived and refreshes on subsequent auths then the user will only ever have to provide that extra info the next time they log into a new device. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021295150 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 25 January 2022 15:17:03 UTC