- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Mon, 04 Sep 2023 20:40:37 +0000
- To: public-webauthn@w3.org
> What kind of "supplemental keys" will this be used for ? The PR is rather extensive, but it does have updated examples if you'll permit me just to quote them: > A usage example is thus: > > A sign-in request is received by a website that, by regulation, must require certain authentication standards. The sign-in is done with a [=multi-device credential=], but also includes a supplemental key with an attestation that states that the supplemental key is only synced after a user has met or exceeded those standards. Since that supplemental key has been seen before, and was initially verified to meet the site's authentication standards, additional sign-in challenges are not required. > > Another example of supplemental keys: > > Say that a sign-in request appears at a website along with some geolocation signal that has not been seen for this [=user account=] before, and is outside of the typical usage hours observed for the account. The risk may be deemed high enough not to allow the request, even with an assertion by a [=multi-device credential=] on its own. But if a signature from a supplimental key that is device-bound, and that is <i>well established</i> for this user can also be presented, then that may tip the balance. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1957#issuecomment-1705685717 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 4 September 2023 20:40:39 UTC