Re: [webauthn] Provide an explicit way to opt out of multi-device syncing/backups (#1714) from Lukas Ribisch via GitHub on 2022-03-30 (public-webauthn@w3.org from March 2022)

From: Lukas Ribisch via GitHub <sysbot+gh@w3.org>
Date: Wed, 30 Mar 2022 19:32:52 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1083544953-1648668771-sysbot+gh@w3.org>

> unless the RP is doing something better than email password reset now they have no reason to reject multi-device credentials.

Every financial institution in the EU is doing something better than email password resets, as is required by regulations.

> We should concentrate on how to uplift multi-device credentials if required and not focus on rejecting them.

Rejecting multi-device credentials will be possible, either via #1692 or more generally via requiring attestation and blocking all implementations known to sync. 

The suggestion here is to offer RPs an option to indicate a preference for (not) syncing. This would allow implementations to invoke alternative behavior without requiring user intervention (for implementations that make sync capability a user choice via opt-in or opt-out, per credential or globally).

-- 
GitHub Notification of comment by lxgr
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1083544953 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 30 March 2022 19:33:27 UTC