Re: [webauthn] Authentication through only what you are (#1728)

This issue has been discussed a lot before. But, the WG decided not to provide such feature. Although, there is an extension for getting the user verification method as an operation result. And, such feature is not properly provided by the client and the authenticator. 
The misconception of this is because many of biometric implementation for the native mobile apps only leverage biometric use only for the authentication and if they need some fallbacks, they provide alternative ways of authentication. The WebAuthn is the tech fully leveraging your device credential (even for biometric and any other unlock methods) and is trying to kill the passwordless completely, it always need fallback mechanism for the case of broken sensors or accessibility issues.

If the such options for handling UV are given to the RPs, the UX will be different from each other and it will make the less market adoption. Some smart RPs might handle such options and keep updating their feature. Most of RPs cannot do that.

I'm not sure when the majority of markets adopt the WebAuthn and leverage passkeys so that they entirely go passwordless, which means they might not need some other insecure fallbacks or account recovery.


-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1728#issuecomment-1120627086 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 9 May 2022 04:23:49 UTC