- From: Lukas Ribisch via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 Mar 2022 18:15:52 +0000
- To: public-webauthn@w3.org
This might unfortunately disqualify the use of platform authenticators in areas where two-factor authentication is explicitly mandated by a regulator, e.g. the EEA in the domain of secure cardholder authentication. A risk decision such as this: > The RP needs to make a decision if their account recovery is stronger than sending a password reset email to the person's apple or google account is explicitly prohibited by law in some scenarios there (and password reset emails are not an allowable alternative). > The RP can cookie the browser Do we really want to encourage the use of cookies as a form of device binding? If anything, RPs should be using DPKs for that use case, right? On a related note, as a WebAuthN user, I explicitly don't want some of my credentials to be synced to my keychain under any circumstances (in particular the ones relating to financial transaction authorizations). Maybe there should be a parallel discussion around whether users should be provided with a way to opt out of key backups/syncing on a per-key basis? This is a different concern than the one of RPs opting out, though. -- GitHub Notification of comment by lxgr Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1083461106 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 30 March 2022 18:15:55 UTC