Re: [webauthn] Can we document protections (if any) around userHandle (with user-verification)? (#2266) from Emil Lundberg via GitHub on 2025-02-25 (public-webauthn@w3.org from February 2025)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 25 Feb 2025 11:25:38 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2681635220-1740482734-sysbot+gh@w3.org>

> I don't know of any way to make that happen, but I am trying to find out if that is possible in ways I am not aware of?

Yes, CTAP2 security keys such as YubiKey 5 behave that way, because the security key has no concept of separate users. So this:

>HER credential (tied to her face)

is inaccurate in that case. All credentials on the security key are "tied to" ALL UV factors configured on the security key, and those UV factors may change over time.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2266#issuecomment-2681635220 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 25 February 2025 11:25:38 UTC