[webauthn] Provide passwordless example, or update 1.3.2. to be a passwordless example (#1735) from Greg Brimble via GitHub on 2022-05-27 (public-webauthn@w3.org from May 2022)

From: Greg Brimble via GitHub <sysbot+gh@w3.org>
Date: Fri, 27 May 2022 21:34:33 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1251293205-1653687271-sysbot+gh@w3.org>

GregBrimble has just created a new issue for https://github.com/w3c/webauthn:

== Provide passwordless example, or update 1.3.2. to be a passwordless example ==
Hi, just a suggestion to help clarify the passwordless registration flow for people.

[1.3.2. Registration Specifically with User-Verifying Platform Authenticator](https://w3c.github.io/webauthn/#sctn-sample-registration-with-platform-authenticator) walks through a process of registering where a user provides a username, password, and uses a user-verifying platform authenticator.

[6.2. Authenticator Taxonomy](https://w3c.github.io/webauthn/#sctn-authenticator-taxonomy) states:

> [User-verifying platform authenticators](https://w3c.github.io/webauthn/#user-verifying-platform-authenticator) and [first-factor roaming authenticators](https://w3c.github.io/webauthn/#first-factor-roaming-authenticator) enable passwordless [multi-factor](https://pages.nist.gov/800-63-3/sp800-63-3.html#af) authentication. In addition to the proof of possession of the [credential private key](https://w3c.github.io/webauthn/#credential-private-key), these authenticators support [user verification](https://w3c.github.io/webauthn/#user-verification) as a second [authentication factor](https://pages.nist.gov/800-63-3/sp800-63-3.html#af), typically a PIN or [biometric recognition](https://w3c.github.io/webauthn/#biometric-recognition). The [authenticator](https://w3c.github.io/webauthn/#authenticator) can thus act as two kinds of [authentication factor](https://pages.nist.gov/800-63-3/sp800-63-3.html#af), which enables [multi-factor](https://pages.nist.gov/800-63-3/sp800-63-3.html#af) authentication while eliminating the need to share a password with the [Relying Party](https://w3c.github.io/webauthn/#relying-party).

To me, 1.3.2's example could be improved by not also providing a password, or instead, a new example was created to specifically walk through a passwordless flow.

More than happy to put up a PR to make these changes if you're interested in either. Just let me know!

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1735 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 27 May 2022 21:34:34 UTC