Re: [webauthn] Non-modal registration during conditional assertion (#1929) from Pascoe via GitHub on 2024-02-22 (public-webauthn@w3.org from February 2024)

From: Pascoe via GitHub <sysbot+gh@w3.org>
Date: Thu, 22 Feb 2024 23:20:07 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1960499405-1708644005-sysbot+gh@w3.org>

> I quite like this proposal as well, but as an operator of an IdP that doesn't rely on passwords, but rather on SMS or Email OTP as the only factor, I am wondering if we could extend the eligibility of conditional passkey registration to be applicable when the user agent autofills such OTP codes. Perhaps I missed this detail in the spec.

I think this is allowed by the current spec text:

> Note: |conditionalCreateLifetimeTimer| and |conditionalCreateOrigin| will be set by the user agent after it believes an authentication ceremony has
     been completed and the user consents to this type of credential creation.
     
 Auto-filling an OTP code could be considered part of an "authentication ceremony."

-- 
GitHub Notification of comment by pascoej
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1929#issuecomment-1960499405 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 22 February 2024 23:20:09 UTC