- From: Matthew Miller via GitHub <sysbot+gh@w3.org>
- Date: Wed, 04 Jan 2023 01:08:36 +0000
- To: public-webauthn@w3.org
> The Android platform authenticator will create a hardward-bound, non-discoverable credential for rk=discouraged and a synced, discoverable credential for "preferred" or "required". @agl Thank you for confirming support for all values for `"residentKey"! BTW I was able just now to successfully perform hybrid auth with a credential I registered on Android with `"residentKey": "discouraged"`. I got back `["internal", "hybrid"]` transports back from registration, which kinda surprised me because I assumed a credential had to be a discoverable credential to be used for hybrid auth. Has that never been a requirement? > Basically translated - all RPs would have to behave the same way (use the same options) for there to be consistent UX, and we believed the browser is better positioned to prompt the user to help them decide whether to use an RK slot on HSKs. I'm not arguing for or against here - just replaying the challenges associated with introducing another option and what a possible alternative is. Thank you @sbweeden, I suspected that where the conversation went after reviewing the earlier comments in this issue. -- GitHub Notification of comment by MasterKale Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1822#issuecomment-1370381351 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 4 January 2023 01:08:38 UTC