Seriously, folks?? It would seem to me, that when dozens to hundreds of FIDO manufacturers have invested years into implementing FIDO solutions with certain security notions, as a courtesy to all that effort and investments - and to instill the principle of "**secure by default**" - the DEFAULT for a FIDO credential should ALWAYS be a hardware-bound key-pair, with NO possibility of ever extracting, copying, cloning, moving, synchronizing or backing up that key-pair to anything, anywhere. If new entrants to the market desire convenience and are willing to sacrifice security for that illusory benefit, **then** those people/companies should bear the burden of new extension request and response processing, and dealing with the ensuing complexity. Why should the people/companies who have invested more than 7 years into building "secure by default" FIDO solutions have to perform ANY additional work _just to maintain_ what they always believed the FIDO value-proposition would be? -- GitHub Notification of comment by arshadnoor Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021837168 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Wednesday, 26 January 2022 03:54:17 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC