Firstyear

To help explain I'm suggesting we have: ``` AuthSession { inner: Rc } AuthSessionInner { handle: .... } impl Drop for AuthSessionInner { fn drop (&mut self) { // whatever...

> Ah, I see! Yes, that'll work, though `Arc` is probably preferable since multithreading shouldn't be discounted. I think sessions can be seen as immutable, so you don't have to...

@ionut-arm Anyway, separate to me fixing session handling, I think a pre-lim review of this would be great then I'll get it sorted for merge by squashing and fixing the...

> Can someone explain to me what is happening here. I have a YubiKey connected to a Dell Wyse 3040. ThinOS RDP connection to a Windows 10 machine. When I...

> We would like to discourage the use of single-device authenticators because of their risk of being lost/destroyed/etc and encourage the use of iCloud, Google, 1Password, etc authenticators since they...

We've asked for this before with the ability to "filter" aaguids on the browser that would not meet the attestation requirements, as we identified this problem a long time ago.

I'm not sure this is needed? If you have attestation then you'll know what the credential model is and will allow or disallow UP/UV caching. I can't really see a...

I'm sure that it will then shock you to learn about passkey providers that set UV=true when they do not infact re-validate the user. They already do UV caching. Ergo...

Theres no penalty for them to lie either. Who's checking and regulating any of this?

@emlun The problem was that in a previous ticket chrome developers stated "no one else implemented it so we didn't" but they have a virtual monopoly on browsers, so we...