- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Thu, 08 Sep 2022 17:08:00 +0000
- To: public-webauthn@w3.org
> If that is the policy for that user, then the user wouldn't have a WebAuthn credential for that site, so they'd enter their username. This ignores the very real scenario of a system administrator temporarily enabling use of WebAuthn for a few of their users while trialing a new WebAuthn-powered feature of their SSO subscription before then disabling the feature. During this trial a user would indeed create a credential and use it for authentication as a participant in the trial. For whatever reason the admin then turns it off (they're done testing, don't like it, etc...), then their users should not still be able to use WebAuthn to log in. This is the purpose of the policy check, so that the SSO provider doesn't prompt for WebAuthn when it shouldn't even if the user has a credential for the site. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1793#issuecomment-1240987999 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 8 September 2022 17:08:01 UTC