W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Clarify how a user can authenticate from multiple devices (#151)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Tue, 28 Jun 2022 02:49:41 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1168155271-1656384579-sysbot+gh@w3.org>
Up until now, especially for the native application, the RP has a control to enable/disable (by default, disabled) backup the data (including credentials - such as private keys) to the platform provider's cloud. Some RPs might enable such features to improve the usability or reduce the customer drop off late when they access the RPs again with new device.

After introducing the passkey, the control is out of RPs and even the user might not have any choice.
Since the requirements are different between RPs, some RPs would like to just enjoy passkey and others wouldn't.

So if the platform vendors' choice is defaulting passkey, then at least, for the RPs concerning the security or having own security requirements, we should provide a way to leverage. If the DPK is just only for hinting of device continuity, something more is needed for the RP (maybe fallback/identity proofing, or passwords).
Thus, the DPK (probably better conventional fallback mechanism) should not be an optional feature for the passkey providers but also providing attested DPK should be a mandatory (if the RP wishes to use).


-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/151#issuecomment-1168155271 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 28 June 2022 02:49:42 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC