- From: Lukas Ribisch via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 Mar 2022 18:56:48 +0000
- To: public-webauthn@w3.org
> It should not be assumed that simply using a reset email for a platform account will grant access to multi-device credentials. I read @ve7jtb's comment as implying that multi-device credentials only have to be better than the most common flow of email access recovery, not as a way of resetting access to an authenticator platform account holding multi-device credentials, but I even disagree on that point: While this is arguably the most common scenario, as it is, many platform and roaming authenticators provide security guarantees significantly exceeding that. This is something that can enable new use cases, e.g. [Secure Payment Confirmation](https://www.w3.org/TR/secure-payment-confirmation/). It doesn't seem wise to implicitly roll these security properties back, in the interest of usability, without at least offering a way for RPs to opt out of it. (I do understand that making multi-device credentials opt-in, rather than opt-out, could hurt adoption.) > This is an implementation discussion and would not be part of the WebAuthn specification. Got it, thank you @timcappalli ! So if this isn't something the WebAuthN specification would cover, is there any adjacent specification, or is it completely up to implementors? -- GitHub Notification of comment by lxgr Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1083506611 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 30 March 2022 18:57:20 UTC