Firstyear
Firstyear
@micolous It sounds like @ericmarkmartin is keen to have a look at this, and it seems to overlap/be similar to your work with the windows apis.
@ericmarkmartin given the way apple is trending, swift might be the safer choice to use here, unless there is a compelling reason to go with obj-c?
@ericmarkmartin Yeah, I think it'll be a case of investigating the two options and deciding :)
> Two insanely popular WebAuthn libraries currently reject registration and authentication based on the fact that be:0, bs:1 is "not allowed" Are you counting webauthn-rs in that list? if not,...
From the view of an RP that has strict certification requirements, I think DPK still isn't enough to make mobile devices trustworthy because they implicitly are binding a credential to...
Given that webauthn sits atop ctap, could we actually use an enumeration of this value to make it clearer?
This has come up before in https://github.com/w3c/webauthn/issues/1739 and https://github.com/w3c/webauthn/issues/1688 The issue is that there is a conflict between "enterprise" who want this level of control, and "browsers" who are looking...
Anyway to answer your question today, the only way is to pre-filter the fido mds offline, determine the set of AAGUIDs of devices taht conform, then you request attestation and...
I agree, but a minimum length would also be a good boundary rather than just recommending something. I've seen production deployments with challenges far shorter than 16 bytes that really...
Correct, length is not enough but it is still an important factor. You can have a 2 byte challenge from the purest entropy money can buy, and that would be...