- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 31 Mar 2022 11:44:00 +0000
- To: public-webauthn@w3.org
> [...] am I understanding it correctly that there will be no "easy" way to do so [...] As of now, yes, that is correct. The general position of the WG has been that we want to avoid fragmenting the ecosystem, so we're wary of adding more authenticator selection constraints. There was recent discussion around this in #1688 too. See also: #461, #445, #441, #396. > This might unfortunately disqualify the use of platform authenticators in areas where two-factor authentication is explicitly mandated by a regulator, [...] > Rejecting multi-device credentials will be possible, either via #1692 or more generally via requiring attestation and blocking all implementations known to sync. Yes - especially in the context of regulatory compliance, RPs cannot rely on the client and authenticator to respect the RP's wishes without proof, so attestation is really the only solution for that case. An opt-out option could of course help optimize UX, but at the moment we feel the fragmentation risks outweigh the benefits, as discussed in #1688. > The suggestion here is to offer RPs an option to indicate a preference for (not) syncing. This would allow implementations to invoke alternative behavior without requiring user intervention [...] The "feature toggle" angle is interesting, though. We have this for user verification and discoverable keys, so it's not categorically out of the question. Maybe the fact that we're about to allocate authenticator data flags for this is a hint that it's important enough to warrant a corresponding feature toggle parameter. But still, I feel like it's too impactful for how blunt it is. Even if it only disables syncing rather than rejecting the authenticator outright, that's still quite intrusive. It could easily be misunderstood as a "make it more secure" parameter, which is not at all true. We don't want RPs to use that without carefully considering the implications, because that will get users locked out and driven away from using WebAuthn at all because of the hassle (making them _less_ secure in the end). And again, attestation already provides RPs most of the same powers but in a form that's also verifiable. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714#issuecomment-1084473966 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 31 March 2022 11:44:02 UTC