W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used (#1691)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Tue, 25 Jan 2022 15:17:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1021295150-1643123820-sysbot+gh@w3.org>
> ...when invoking get() for authentication, if the assertion is coming back from 1) an already accepted device or 2) an new (unknown) device.

Well, we _are_ talking about a browser API...would a cookie be an unacceptable way of gauging whether the `.get()` call is from a new device or not?

Something like this:

> When the user's browser sends the `.get()` response to your server you can check, was the `authed-on-this-device-before` cookie set?
> If so, then this device can be trusted. Allow the auth to proceed.
> If not, then confirm the auth is legitimate (i.e. uses a previously-registered credential belonging to a valid user account) but then force the user to provide more information to satisfy the risk engine. Upon successful auth set a long-lived, `HttpOnly` `authed-on-this-device-before` cookie.

So long as the cookie is long-lived and refreshes on subsequent auths then the user will only ever have to provide that extra info the next time they log into a new device.

GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021295150 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 25 January 2022 15:17:03 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC