- From: Arnar Birgisson via GitHub <noreply@w3.org>
- Date: Mon, 13 Apr 2026 21:33:15 +0000
- To: public-webauthn@w3.org
In reply to @mimi89999 : CMTG isn't meant to to answer "have I seen this physical device before?" A device-bound credential would answer that question, but has other downsides that made it difficult to form consensus around how that interacts with passkeys. A dual-credential approach has indeed been discussed extensively, e.g. #1658 and #1691. There are also other primitives available for that, e.g. in some threat models (in particular on mobile) a plain cookie can be sufficient, in others @w3c/webappsec-dbsc, or other forms of digital credentials. CMTG instead tries to answer the question "did the provider that synced this passkey apply any counter-phishing methods?" -- The answer to that is trivially "yes" if the passkey didn't sync at all and is still on the same device, but CMTG can additionally give RPs signals for better trust in cases where it has synced, but the provider "did enough" that the RP can avoid e.g. 2nd factor auth that it might otherwise require. Many RPs use very long lived sessions, and for those RPs device migration is the primary driver of sign-in. I.e. while it may be infrequent counting the number of days that a user uses a device, it can be the case that most sign-ins are actually cases of device migration. The proximity-verification and other methods in the explainer are chosen so that they can reasonably cover a significant fraction of password manager sign-ins. -- GitHub Notification of comment by arnar Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2338#issuecomment-4239777066 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 13 April 2026 21:33:16 UTC