- From: Ben Bangert via GitHub <sysbot+gh@w3.org>
- Date: Thu, 03 Nov 2022 18:00:49 +0000
- To: public-webauthn@w3.org
> When signing in on a different computer, either the credential will already be locally present (if the computer is using the same sync fabric as the phone) and suggested by autocomplete, or else the user’s phone can be used to transmit the assertion to the computer. In the latter case, the service may invite the user to enroll a local platform authenticator for easier sign-in in the future. (Now the newly registered credential may be part of a different sync fabric, and thus enable local sign-in on other devices.) Should it be noted that the service should take care to make it very clear to the user that enrolling a new local platform authenticator is quite different from the current 'Trust this device' type checkbox that people click now on many websites to extend the current session length? One other thing I don't see mentioned as a possible experience, is the need for a service to have a user-known way to identify the authenticators that have been used. For example, on services with 2FA, the service typically lets me name each authenticator I enroll so that I can easily see which ones have access to my account. A more important aspect is that if I lose one, I can easily remove it because I know the name. Are services expected to ask users to name the authenticator enrolled? I could imagine a design pattern where the user is only requested to name an authenticator during enrollment if it results in multiple enrolled authenticators, so that the service can display them to the user in an easily identifiable manner. -- GitHub Notification of comment by bbangert Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1637#issuecomment-1302481486 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 3 November 2022 18:00:50 UTC