- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Tue, 30 Jan 2024 23:04:43 +0000
- To: public-webauthn@w3.org
> We would like to discourage the use of single-device authenticators because of their risk of being lost/destroyed/etc and encourage the use of iCloud, Google, 1Password, etc authenticators since they will sync across devices. And we want the opposite, because all of those synced devices do not meet compliance standards for a number of high security environments, only security-keys do. But we have no way to filter pre-registration so user's can incorrectly enroll a key that we are about to reject during attestation. > So we need to do UA sniffing to understand if its Windows or not and send a different hint if its Windows. Does that seem correct? There are similar needed UA sniffing tricks for android to get it to swap between "security-key" OR "google passkey stored in google password manager". If you are worried about people losing devices *encourage* them to enroll multiple keys, and ensure you have workflows to facilitate multiple authenticator enrollments. Do not simply rely on "passkeys are synced" and then limit a user to one credential. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1688#issuecomment-1918062006 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 30 January 2024 23:04:45 UTC