Rolf Lindemann

Some references for allowing a single authenticator to provide multiple factors (e.g. 2FA) here: a) NIST SP 800-63 3B, see https://pages.nist.gov/800-63-3/sp800-63b.html - see section 5.1.8.1 Multi-Factor Cryptographic Software Authenticator and...

WebAuthn is specifically mentioned to provide MFA in https://zerotrust.cyber.gov/federal-zero-trust-strategy/#identity

Note: In FIDO (except U2F), there is the notion of User Verification versus User Presence. When someone presents the Authenticator and presses a button (i.e. User Presence) this is considered...

Decision: Keep open, but no immediate action. Privacy aspect seems difficult to address appropriately. Use case don't seem that relevant for WebAuthnat this time.

Regarding the security characteristic, for me there are 4 important aspects: 1. Which keys can be cloud-synchronized? None, individual keys, all - and how could the RP tell by looking...

Some clarifying questions: 1. You referring to the UI rendered by the platforms (Browser/OS) as opposed to the UI rendered by the relying party, correct? 2. What do you mean...

Wouldn't DPK support (PR#1663) be sufficient? Essentially not preventing the multi-device key, but ensuring an additional single-device key being established *per device*.

I wouldn't do the last two steps that you proposed, i.e. "RP rejects registration" and "browser renders error". In the ideal case, the RP receives a DPK extension signed with...

... and: supporting attestation for the DPK is the only way to distinguish maliciously generated keys from keys generated by trusted authenticators. Ideally, there would be attestation for the multi-device...

I read that as a request for a "hint" to the browser that the user shouldn't be confused by "connect roaming authenticators now". @Kieun: Is this what your underlying use...