- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 Mar 2022 19:16:54 +0000
- To: public-webauthn@w3.org
I was making the point that unless the RP is doing something better than email password reset now they have no reason to reject multi-device credentials. It may be that depending on implementation they may be significantly more secure, but I think we can agree that they won't be any less secure. We should concentrate on how to uplift multi-device credentials if required and not focus on rejecting them. My comment about cookies is out of practicality. More RP are going to be able to do that than reimplement their servers to support DPK. DPK is a better option when available, but there is no guarantee that it will be available on all authenticators. Cookies are sort of low tech but work today as a way to know if the device/browser has previously authenticated with a given credentialID. RP who are concerned should probably start there. I don't know how financial institutions are going to deal with the change. perhaps on Android they will only create non discoverable credentials to get around syncing, though that is not part of the spec, and will not work with the updated non modal UX. It is probably best for them to plan to use DPK as a signal when they can in SPC. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1083529322 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 30 March 2022 19:16:57 UTC