- From: Firstyear via GitHub <noreply@w3.org>
- Date: Fri, 17 Oct 2025 22:05:00 +0000
- To: public-webauthn@w3.org
> Forgive my ignorance, and I know this is a bit off topic so don't plan on discussing this at length here. > > Has the inverse also been considered in addition to this? Specifically the ability to prevent backup eligible keys from being produced. For setups where security is the priority over usability this would hold a lot of value I think. It's attestation with a controlled authenticator list - anything else is an unsigned signal and may be fraudulent. Anything in authenticatorSelectionCriteria is a *HINT* to the browser about what authenticators it may use. It is NOT a security parameter or requirement (despite the misnaming of this as a "criteria"). -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2342#issuecomment-3417381792 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 17 October 2025 22:05:01 UTC