- From: Michel Le Bihan via GitHub <noreply@w3.org>
- Date: Sat, 04 Apr 2026 00:04:27 +0000
- To: public-webauthn@w3.org
Could the core RP need ("have we seen this physical device before?") be addressed more simply by encouraging registration of both a synced credential and a device-bound credential stored in the platform's secure element per device?
The synced credential is there for migration, recovery, and signing in on new devices. The device-bound one stays on the hardware and never leaves, so if an RP sees it again, they know it's the same physical device and can skip step-up auth. When a user sets up a new device, the synced credential bootstraps access, and a fresh device-bound credential gets registered on it.
Device migration is a relatively infrequent operation, and this approach avoids the complexity of defining and evolving trust relationships between devices. The proximity verification methods described in the explainer (cross-device authentication, shared security keys, eSIM matching) seem to cover fairly narrow scenarios. Many desktops lack Bluetooth, and shared eSIMs are uncommon.
Has this dual-credential approach been considered and ruled out for reasons I'm missing?
--
GitHub Notification of comment by mimi89999
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2338#issuecomment-4185730176 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Saturday, 4 April 2026 00:04:28 UTC