Shane Weeden

You are correct with regards to login operations and I have subsequently updated my earlier comment to indicate use of navigator.credentials.create instead of navigator.credentials.get.

I think it depends on whether or not there is a need for something new in the spec to satisfy your use case requirements. I'm not sure there is, but...

> > Alternatives in this field require browser redirects or iframes that access both a.com (for authentication) and then perform federated SSO to b.com. This is an undersirable user experience...

> Putting another hole in the same-origin policy with a new facet-like mechanism isn't necessary for the consumer example; our permissions issue in #1336 aside, the iframe mechanisms are or...

I'm starting to think that the _runtime connection only to the PISP and not the bank_ argument for justifying the approach described in this issue is flawed. If a browser...

I concur with the requirements. Many RPs want the one-touch-and-done strong authentication UX that attested, device-bound credentials offer. The spec itself is unlikely to influence whether or not these requirements...

Would be nice if someone from Apple could confirm this is no longer a requirement for use of the platform authenticator?

The right place to ask this question is the fido-dev mailing list: https://groups.google.com/a/fidoalliance.org/g/fido-dev If you are only using empty allowCredentials then you don't need to store it. It has a...

That's the primary use case (at least AFAIK). There is perhaps statistical or UX value in the RP knowing the transports of a user's registered credentials (you might make suggestions...

Conditional WebAuthn does not require long lived challenges. Sent from my iPhone On 20 Feb 2023, at 10:13 pm, Fredrik Tolf ***@***.***> wrote:  While I can understand the "temporarily...