[webauthn] Pull Request: DRAFT: Backup eligibility parameter during registration

emlun has just submitted a new pull request for https://github.com/w3c/webauthn:

== DRAFT: Backup eligibility parameter during registration ==
Brainstorm idea for #1739. This is meant to facilitate discussion, not a fully-formed proposal.

Something like this would enable the client to optimize the user interaction to increase the chance that the registration completes successfully. I note in https://github.com/w3c/webauthn/issues/1714#issuecomment-1084473966 that since we now have the `BS` and `BE` flags in the authenticator data, that to me signals that this is a significant credential property that there should perhaps be a feature toggle for.

However the argument against (again, see https://github.com/w3c/webauthn/issues/1714#issuecomment-1084473966) is that we don't want RPs to see this as a "make it more secure" parameter and just set it to `"forbidden"` without further consideration. So in order to respect the interests of the user, this proposal allows the client to let the user override the RP's preference if desired.

Perhaps something like this could be a reasonable middle-ground? Is the risk of ecosystem fragmentation still too great? Is it not powerful enough to be useful to RPs? Discuss!

See https://github.com/w3c/webauthn/pull/1744


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 9 June 2022 21:57:41 UTC