Re: [webauthn] Recovering from Device Loss (#931)

> This sounds like a problem for the RP to think about and implement their own work flows, not for the devices to have to share secrets which weakens the whole system.
> 
> The same way we have password-reset emails, you need to think about the same for when someone loses a webauthn device.

Indeed. This has always been an issue with 2FA in general which is why you have users who do not wish to use it. How your system deals with ways to circumvent 2FA implosion is not 2FA standard, it's business logic.

Therefore, from what I gather, Webauthn having inbuilt recovery is... beyond its scope?

If you'd like to register a new public key for the Webauthn pair (your new device), then that's business logic of your service. You can have both webauthn and SSO to access the service and perform modifications to your settings. Or you can just have webauthn and watch as users eventually brick themselves out of your system.

-- 
GitHub Notification of comment by lucasgcbkhomp
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/931#issuecomment-1320056414 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 18 November 2022 14:20:09 UTC