Re: [webauthn] residentKey: "preferred-if-unlimited"? (#1822)

For perspective on credential management.
CTAP2.0 keys released in 2017 did not have credential management.
As part of CTAP2.1_Pre Microsoft added a vendor extension for credential management in 2018 along with bio-enrollment and credprotect.
Authenticators shipped in 2019 by Yubico supported preview credential management.
CTAP2.1 supports final credential management and Yubico supports that as well on all CTAP2.1 keys.

The main problem with credentials management is not so much the 1 year of keys produced that don't support it but the lack of platform support for it.  

Chrome supports it on MacOS and Linux and Yubico has a standalone tool but it needs to be run with admin permissions on Windows.

I understand that it would suck if you were an early adopter and purchased a key in 2017 and it filled up with discoverable credentials for sites supporting Fido as a second factor and then wanted to add just one more for a site really using discoverable credentials.   

However, remember in 2017 there was only one site supporting discoverable credentials and no one else had any interest in deploying them.   It is unfortunate, but we have not done a bad job at attempting to future-proof CTAP2.0 authenticators.     

If the authenticator fills up then you can continue to register new second factor credentials like you can with U2F authenticators some people are still selling.

In general, I would put more effort into supporting platforms having a credential management UI than other platform tweaks.

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1822#issuecomment-1310145479 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 10 November 2022 11:30:46 UTC