Re: [webauthn] devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used (#1691)

> Will all those people who have invested in web/mobile applications never have to change their web/mobile apps when Level-3 is standardized if they do not wish to support synchronized key-pairs/credentials?

This extension is meant to give RPs an additional signal to let them accept authenticators that their policy would otherwise deny. It is meant to allow RPs a means to implement more expressive policies.

If an RP policy is to always reject authenticators based on their key-storage properties there's no reason to use this extension at all. Of course, to implement that policy today they need attestations, and will continue to need them in the future.

If instead the policy is extended to accept certain authenticators but to invoke user-facing workflow when the authentication may be coming from new hardware, the onus of providing support for that new workflow would fall onto the user-facing portion of the RP (a web application I believe in your example).

GitHub Notification of comment by dwaite
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 26 January 2022 06:08:44 UTC