Re: [webauthn] devicePubKey → supplementalPubKeys (#1957) from Shane Weeden via GitHub on 2023-09-11 (public-webauthn@w3.org from September 2023)

From: Shane Weeden via GitHub <sysbot+gh@w3.org>
Date: Mon, 11 Sep 2023 08:45:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1713441141-1694421913-sysbot+gh@w3.org>

Are there requirements for an RP to know if the *user* in control of the credential has changed? I know that in native mobile apps its typically possible to get signals when enrolled biometrics changes, and in some cases apps require reauthentication (i.e. re-identity-proofing) when such a thing happens. If so, is it practical or possible for a provider to signal whether or not, from that provider's perspective, the user account (belonging to the passkey provider) exercising the credential has changed?

The point here is, are we satisfying real RP policy requirements with the proposals in this extension.

-- 
GitHub Notification of comment by sbweeden
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1957#issuecomment-1713441141 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 11 September 2023 08:45:17 UTC