W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Should an RP be able to provide finer grained authenticator filtering in attestation options? (#1688)

From: Chad Killingsworth via GitHub <sysbot+gh@w3.org>
Date: Mon, 06 Jun 2022 12:18:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1147386327-1654517896-sysbot+gh@w3.org>
From my perspective, the ability to restrict or hint authenticator type is not to ban authenticator types that are not trusted, but instead to improve the user experience. I would like to heavily favor platform authenticators for the primary authentication flow and segregate utilize user-verifying cross-platform authenticators to account recovery flows. The current UX provided is too confusing for my users unless they are first identified by username where the authenticator choice can be restricted. Even the CABLE use cases suggest upgrading the user to device-bound authenticators when possible.

I **do** intend to fully support passkeys as soon as they are ready.

#1716 requested to restrict authenticators by transport, but I believe attachment is much more valuable.

[For perspective](https://github.com/w3c/webauthn/issues/1688#issuecomment-1000594906), my company is a a major financial services provider for the US with millions of users and has had Webauthn passwordless logins in production for over a year.

The conditional mediated UI work will assist in the user experience, but is not a complete solution.

-- 
GitHub Notification of comment by ChadKillingsworth
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1688#issuecomment-1147386327 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 6 June 2022 12:18:20 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC