- From: Arian van Putten via GitHub <sysbot+gh@w3.org>
- Date: Tue, 05 Sep 2023 15:34:15 +0000
- To: public-webauthn@w3.org
> A sign-in request is received by a website that, by regulation, must require certain authentication standards. The sign-in is done with a [=multi-device credential=], but also includes a supplemental key with an attestation that states that the supplemental key is only synced after a user has met or exceeded those standards. Since that supplemental key has been seen before, and was initially verified to meet the site's authentication standards, additional sign-in challenges are not required. Couldn't this be solved by assertion-time attestation? "Hey I didn't get attestation during registration; please prove this key is hardware bound; my policy changed" sounds simpler from an implementation-POV -- GitHub Notification of comment by arianvp Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1957#issuecomment-1706850011 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 5 September 2023 15:34:17 UTC