Akshay Kumar

I may not have understood all the requirements, but from the looks of it, there are some scenarios where user need to authenticate first but can do silent authentication there...

Level 2 is done. In Level 3 we can clarify more if people are still confused but would prefer no more variables.

@cyberphone , Although your comments are related, I want this issue to be focused on implications of opening up the webauthn API in cross-origin without iframe context to existing RPs...

Probably, but I don't understand how browser will determine that. If that results in authenticator deciding it, then that webauthn system pop still comes up probably resulting in "No such...

> Today, WebAuthn can be used (at least for Get operations) in iFrames. And, as far as I know, up until this point, we were fine with it. There's nothing...

> The unappealing answer for today is: we currently store a browser-local list of credentials created in that browser with SPC permission, and require at auth-time that a credential matches...

> In that case, the RP cannot create a new registration without the risk of silently invalidating old registration. Don't understand. Why would existing registration will not suffice? And if...

> More to the point, there is no way to tell from a successful get response whether the authenticator would satisfy isUserVerifyingPlatformAuthenticatorAvailable() in a fresh browser profile, right? Yes, In...

@rlin1 / @arshadnoor I have some answers but not all to above questions. And probably it's best that individual platform/Authenticator answers them individually. Also, I am not sure whether above...

We cannot break deployments out there with this breaking change. Multiple RPs (including ours) deployment will break with this change.