> ...when invoking get() for authentication, if the assertion is coming back from 1) an already accepted device or 2) an new (unknown) device. Well, we _are_ talking about a browser API...would a cookie be an unacceptable way of gauging whether the `.get()` call is from a new device or not? Something like this: > When the user's browser sends the `.get()` response to your server you can check, was the `authed-on-this-device-before` cookie set? > > If so, then this device can be trusted. Allow the auth to proceed. > > If not, then confirm the auth is legitimate (i.e. uses a previously-registered credential belonging to a valid user account) but then force the user to provide more information to satisfy the risk engine. Upon successful auth set a long-lived, `HttpOnly` `authed-on-this-device-before` cookie. So long as the cookie is long-lived and refreshes on subsequent auths then the user will only ever have to provide that extra info the next time they log into a new device. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021295150 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Tuesday, 25 January 2022 15:17:03 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC