- From: David Waite via GitHub <sysbot+gh@w3.org>
- Date: Wed, 16 Aug 2023 18:57:40 +0000
- To: public-webauthn@w3.org
Unfortunately, while a client is the interface with authenticators, it does not necessarily know if a passkey provider supports sharing. Indeed, authenticators themselves may not record if a credential has been shared, and sharing may not be an authenticator-level action. The current recommended mechanism to mandate non-sharable (hardware-bound) credentials would be to require attestations. To prevent restricting use of new authenticators which also do not share credentials, it is recommended the attestations are verified against an up-to-date list of implementations (such as the FIDO Alliance MDS.) In the future, an extension such as `devicePubKey` might serve as a signal that a credential MAY have been shared, although it also could be signaling other events or simple state clearing. -- GitHub Notification of comment by dwaite Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1922#issuecomment-1681123049 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 16 August 2023 18:57:42 UTC