- From: Arian van Putten via GitHub <sysbot+gh@w3.org>
- Date: Thu, 15 May 2025 07:16:46 +0000
- To: public-webauthn@w3.org
Okay but do I then understand correctly that a passkey added through conditional create will needs to be used at least twice after registration before we can use it as the sole factor for sign in? That seems to be in contradiction with the flow the explainer originally tried to describe. Namely automatically create a passkey during password login so that next time you dont need to enter a password. But at this point we don't know anything about the passkey's capability of UV. So on next login someone uses the passkey and has UV set to 1. UVinitinalized is still false so we need to ask for a second authentication factor (the users password) and only then can we set UVinitinalized to true. That means that with the conditional create flow a person needs to enter their password twice? Once before the key is automatically created. And another time on subsequent login where we haven't proven yet that the key is suitable to be used as the sole method. Which isn't as smooth as it was originally intended I think? -- GitHub Notification of comment by arianvp Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2295#issuecomment-2882812156 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 15 May 2025 07:16:47 UTC