Firstyear
Firstyear
If you leave user experience to the end, you'll potentially design a system that technically is excellent but you can't make usable. Why not design a usable system first and...
This is a lot of extra energy/effort to verify if a credential is multi-device - some RP's may want the stronger signature checking of validation that the sync credential was...
> I noticed that during `credentials.create(...)`, if the list does not contain what the authenticator can provide, the authenticator will not be included in the list of authenticators to choose...
@MasterKale Or you add a new section and link to it from those locations so that it's only one place? Saying that it's a bit of a weird situation because...
I agreed with @arshadnoor here. There is a great risk that over-complication and feature extension to this standard will open us to security issues and undermine the trust that exists...
This sounds like a problem for the RP to think about and implement their own work flows, not for the devices to have to share secrets which weakens the whole...
A big issue is that currently the webauthn spec practically forces client side transform of requests/responses due to the usage of uint8arrays which can't be encoded to json. When requested...
@AadaEa No. There is work to allow a "transformation" helper in navigator.creds, but you will always need javascript. See https://github.com/w3c/webauthn/pull/1703
@devsnek I think you are thinking about something like https://www.rfc-editor.org/rfc/rfc8705.html or https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop . The issue with the suggestion you have here is that user presence and interaction is a really...
> > user presence and interaction is a really core part of how these devices work > > Yes and no. At least CTAP2 actually can perform `getAssertion` without user...