W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2022

Re: [webauthn] devicePubKey extension MUST be supported if multi-device WebAuthn credentials are used (#1691)

From: Anders Rundgren via GitHub <sysbot+gh@w3.org>
Date: Wed, 26 Jan 2022 08:46:09 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1021984339-1643186767-sysbot+gh@w3.org>
Hi @emlun 
> @cyberphone Please stay on the issue topic, web payments are unrelated to this.

They are related because Web payment systems that do not intrinsically host required meta data, usually depend on cookies to achieve a more reasonable UX (like remembering last used card number).   Payment systems relying on WebAuthn belong to this category.

That is, synced keys may also need synced cookies.  SPC raises the bar further by adding dependencies on synced payment handler code.  Hopefully all of this is taking place at the platform level, otherwise you are stuck with the default browser which yet another thorny issue.  For Apple who only supports a single "engine" this is a no-issue, for the rest of the world, it is not.

IMO, this is way over the top, particularly with respect to payments.  For user authentication, discoverable authenticators are probably sufficient to relieve us from the current "cookie hell".

GitHub Notification of comment by cyberphone
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1691#issuecomment-1021984339 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 26 January 2022 08:46:10 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:45 UTC