[webauthn] Signaling when user credentials are shared between users to the `relying party` (#1922) from Ki-Eun Shin via GitHub on 2023-07-17 (public-webauthn@w3.org from July 2023)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Mon, 17 Jul 2023 03:13:33 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1806870163-1689563611-sysbot+gh@w3.org>

Kieun has just created a new issue for https://github.com/w3c/webauthn:

== Signaling when user credentials are shared between users to the `relying party` ==
## Description

Some of passkey providers have been providing credential sharing between multiple users. RPs (or enterprise) might have some controls to allow or disallow credential sharing.
Such controls are varying across passkey providers and sometimes RPs might not be aware that user's credential has been shared to others.

Some RPs would like to know such things in order to score the security risk.

I'm thinking that this could be offered as following options.

- Option 1: mark the credential is shared when returning attestation or assertion within the `authData` (might be `flag`)
- Option 2: leverage `well-known URL` at relying party side and send a signal at the time when the user credential is actually shared


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1922 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 17 July 2023 03:13:35 UTC