W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 23 Jun 2022 09:56:27 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1164206296-1655978186-sysbot+gh@w3.org>
> The solution isn't roaming auth

It is, though. If you want to (1) log in from multiple devices, but (2) always enforce WebAuthn authentication for every login and (3) not copy private keys, then your only option is to use an authenticator with multiple connectivity options. Otherwise you'll have to relax at least one of the requirements (1), (2) and (3). Some (most?) websites do relax (2) and allow some other method of 2FA or account recovery. Some authenticator vendors relax (3) and copy private keys between devices via cloud sync or similar.

But note that a "roaming authenticator" doesn't have to be a YubiKey or similar "security key" device, it can also be a smartphone for example. Mobile OS vendors are now starting to support acting as a roaming authenticator via Bluetooth. This means a platform credential on the phone can be used both as a "built-in" credential on the phone _and_ as a roaming credential on other devices.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-1164206296 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 23 June 2022 09:56:29 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC