Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

Up until now, especially for the native application, the RP has a control to enable/disable (by default, disabled) backup the data (including credentials - such as private keys) to the platform provider's cloud. Some RPs might enable such features to improve the usability or reduce the customer drop off late when they access the RPs again with new device.

After introducing the passkey, the control is out of RPs and even the user might not have any choice.
Since the requirements are different between RPs, some RPs would like to just enjoy passkey and others wouldn't.

So if the platform vendors' choice is defaulting passkey, then at least, for the RPs concerning the security or having own security requirements, we should provide a way to leverage. If the DPK is just only for hinting of device continuity, something more is needed for the RP (maybe fallback/identity proofing, or passwords).
Thus, the DPK (probably better conventional fallback mechanism) should not be an optional feature for the passkey providers but also providing attested DPK should be a mandatory (if the RP wishes to use).

GitHub Notification of comment by Kieun
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Tuesday, 28 June 2022 02:49:42 UTC