- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Sun, 07 May 2023 06:42:46 +0000
- To: public-webauthn@w3.org
> If I'm understanding this correctly, the intent of `hints` would be that an RP like me adds the new property to our registration options to "suggest" to the browser that it only show the hybrid flow?
>
> ```js
> {
> // ...
> authenticatorSelection: {
> authenticatorAttachment: 'cross-platform'
> },
> hints: ['non-security-key'],
> }
> ```
>
> > Maybe "smartphone" is a good answer?
>
> What about `"other-device"` or `external-device`? It leaves the door open for other form factors to participate (e.g. someone could use an iPad, which doesn't really fit into the idea of "smartphone")
For enterprise, we'll need the opposite - to completely deny smartphones and hybrid due to the fact these platforms are unattested and third party backed. We'll need a way to limit to only tpm's and fido2 security key devices (generally, things that have aaguids). This is why in the past we've requested that during registration we can send a list of aaguids as a filter for "these are the only devices acceptable under our policy, so only proceed with them".
--
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1884#issuecomment-1537334342 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 7 May 2023 06:42:47 UTC