[webauthn] Indicate that the credential could be backed up and restored, but not synchronized (#1933) from Ki-Eun Shin via GitHub on 2023-07-27 (public-webauthn@w3.org from July 2023)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Thu, 27 Jul 2023 02:23:04 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1823499060-1690424581-sysbot+gh@w3.org>

Kieun has just created a new issue for https://github.com/w3c/webauthn:

== Indicate that the credential could be backed up and restored, but not synchronized ==
## Proposed Change

With the passkey introduction and allowing for 3rd party passkey providers to plugin to the platform to manage passkeys for RPs, the WebAuthn credential capabilities might vary across authenticator and passkey providers.

In current Level 3, there is a bit of flags indicating multi-device credential such as `BE` and `BS` flags.
The `BE` flag indicates that the credential could be backed up and it is `multi-device-credential`.

[In Section 4](https://w3c.github.io/webauthn/#backup-eligible), there is defined terminology for `BE` (Backup Eligibility) and [Backed Up](https://w3c.github.io/webauthn/#backed-up).

The current description for `Backed Up` is as follows.

> [Public Key Credential Sources](https://w3c.github.io/webauthn/#public-key-credential-source) may be backed up in some fashion such that they may become present on an authenticator other than their [generating authenticator](https://w3c.github.io/webauthn/#generating-authenticator). Backup can occur via mechanisms including but not limited to peer-to-peer sync, cloud sync, local network sync, and manual import/export. See also [§ 6.1.3 Credential Backup State](https://w3c.github.io/webauthn/#sctn-credential-backup).

The meaning of backup here is
1. Credential could be backed up (exported) and recovered (imported) at some time
2. Credential could be synchronized with some mechanisms

With this definition, in WebAuthn world, the backup eligibility meaning is that backup itself and additionally synchronization.

Let say some passkey providers would like to offer **passkeys with backup and recovery feature and without synchronization**.
For example, some of passkey provider application might have strict requirements to have single application instance for the given user.
In this case, the synchronization for passkeys are not provided, but the passkeys need to be recovered if the user lose their phone and buy new one or change their phone.

If this is the case, we need some ways to indicate the credential property which could be backed up and restored, but not synchronized.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1933 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 27 July 2023 02:23:06 UTC