[webauthn] Platform authentication registration promotion when the user has authenticated with the external authenticator (#1759)

Kieun has just created a new issue for https://github.com/w3c/webauthn:

== Platform authentication registration promotion when the user has authenticated with the external authenticator ==
If the authentication response coming from the external authenticator or phone (with hybrid transport) and the client device supports platform authentication, it is recommended for RPs to provide promotion to that user to register the platform authenticator.
The user might have a chance to select their authenticator during authentication process (platform authenticator, security key, hybrid and etc). Even if the credential is generated on the platform authenticator of the user device, the user still can authenticate with other authenticators (such as security key and phone - hybrid).
In that case, as a RP, the RP has no way to check whether the credential has been created on the platform authenticator or not.

What's the recommendation in this case?
Just promote the user whenever the user has authenticated with the roaming authenticator?
Or, leverage cookie to indicate that the platform credential is registered before?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1759 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 29 June 2022 08:12:34 UTC