Re: [webauthn] How to know if a user has already registered a device? (#1749) from Mitar via GitHub on 2023-11-24 (public-webauthn@w3.org from November 2023)

From: Mitar via GitHub <sysbot+gh@w3.org>
Date: Fri, 24 Nov 2023 08:27:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1825305183-1700814436-sysbot+gh@w3.org>

> And how does your "sign in or sign up" that just trusts everything, plan to verify the public key that signed the challenge?

Trust on first use. I would not care about what user uses as an authenticator. Once site obtains the credential it creates the account and remembers the credential and attestation of the credential and requires the issuer and credential to be the same in the future for somebody to sign-in into that account.

-- 
GitHub Notification of comment by mitar
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1749#issuecomment-1825305183 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 24 November 2023 08:27:20 UTC