- From: Rolf Lindemann via GitHub <sysbot+gh@w3.org>
- Date: Mon, 11 Sep 2023 13:06:17 +0000
- To: public-webauthn@w3.org
> Are there requirements for an RP to know if the _user_ in control of the credential has changed? I know that in native mobile apps its typically possible to get signals when enrolled biometrics changes, and in some cases apps require reauthentication (i.e. re-identity-proofing) when such a thing happens. If so, is it practical or possible for a provider to signal whether or not, from that provider's perspective, the user account (belonging to the passkey provider) exercising the credential has changed? > > The point here is, are we satisfying real RP policy requirements with the proposals in this extension. I think the provider should state whether sharing passkeys with other people is a use case that is actively supported - and whether exporting the provider-scoped key is also actively support or not (hopefully not). But: attestation of the provider-scoped key is needed for the RP to understand how much trust they want to put into it. -- GitHub Notification of comment by rlin1 Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1957#issuecomment-1713842997 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 11 September 2023 13:06:20 UTC