- From: Lukas Ribisch via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 Mar 2022 02:46:43 +0000
- To: public-webauthn@w3.org
lxgr has just created a new issue for https://github.com/w3c/webauthn: == Provide an explicit way to opt out of multi-device syncing/backups == Sorry in advance if I missed the most recent state of the discussion on multi-device credentials, but if I understand the current proposals correctly, - This property will be indicated as part of authenticator data (#1692, #1695), - There will be an opportunity to additionally create per-device "linked/bound" keys (#1658), but - There _won't_ be an explicit way for an RP to indicate that it wants to opt out of backups/multi-device syncing. There might be a roundabout way to accomplish this (e.g. through always requesting a device-bound key per #1658), but am I understanding it correctly that there will be no "easy" way to do so, other than effectively only relying on device-bound keys and discarding the "actual" key? Is this intentional? At least for some scenarios, account takeover/phishing might be a large enough concern that RPs might decide to not accept certain (probably mostly host-based) authenticator models' attestation keys anymore for their service, even though they might otherwise be satisfied with the authenticator's security policies and implementation. Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1714 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 30 March 2022 02:46:45 UTC