- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 Mar 2022 18:04:44 +0000
- To: public-webauthn@w3.org
I believe that so far the WG has rejected all proposals to have a relying party opt out signal of multi-device credentials. The RP needs to make a decision if their account recovery is stronger than sending a password reset email to the person's apple or google account, then they can perform some sort of stepup to be able to accept the credential if the authenticator is unknown (there is still an open question, if platform authenticators will provide attestations) or the credential is multi-device. The RP can cookie the browser and take that plus the multi-device credential to authenticate from the same browser, or if the cookie is not available due to it being a new device they can perform stepup.(Authenticate with a password, phone call, or roaming single device authenticator.) I think the idea is that RP should not reject multi-device credentials, but can use a cookie, DPK extension(when available) or other factors to step up the authentication to the appropriate level. It will be more work for some relying parties, I agree. This is pushing them towards taking a risk-based approach. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1083451149 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 30 March 2022 18:05:16 UTC