W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Discussing mechanisms for enterprise RP's to enforce bound properties of credentials (#1739)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Thu, 30 Jun 2022 00:14:12 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1170613178-1656548049-sysbot+gh@w3.org>
> > If multi-device credentials (more specifically those backed up to a user's platform-provider cloud account) are not able to be excluded by RP policy during credential creation, the spec is essentially dictating that all RPs must figure out a way to make them acceptable (otherwise you have the undesirable fail-after-register UX)
> 
> I think this is still an inevitability. At most, we can provide a UX to hint to the client to try to optimize this, but the client may not understand that hint (or have appropriate UX to represent it to the user)
> 

By being able to send a UX hint, the credential shouldn't even be listed for the usere to select in the ceremony, meaning that they are guided to a valid credential that can be used.

The alternative is they perform the whole ceremony then are dropped to an error screen that tries to explain why it failed. Which is much harder to communicate. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1739#issuecomment-1170613178 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 30 June 2022 00:14:14 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC