- From: Tim Cappalli via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 Mar 2022 18:47:06 +0000
- To: public-webauthn@w3.org
@ve7jtb wrote: > The RP needs to make a decision if their account recovery is stronger than sending a password reset email to the person's apple or google account, then they can perform some sort of stepup to be able to accept the credential if the authenticator is unknown (there is still an open question, if platform authenticators will provide attestations) or the credential is multi-device. It should not be assumed that simply using a reset email on a platform account will grant access to multi-device credentials. @lxgr: > On a related note, as a WebAuthN user, I explicitly don't want some of my credentials to be synced to my keychain under any circumstances (in particular the ones relating to financial transaction authorizations). Maybe there should be a parallel discussion around whether users should be provided with a way to opt out of key backups/syncing on a per-key basis? This is a different concern than the one of RPs opting out, though. This is an implementation discussion and would not be part of the WebAuthn specification. -- GitHub Notification of comment by timcappalli Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1083496069 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 30 March 2022 18:47:07 UTC