Tim Cappalli
Tim Cappalli
> and the intention to distinguish individual users is well achieved I wouldn't say the goal is to explicitly distinguish individual users. The goal is to ensure an authorized user...
@antonymott it is unclear to me what changes you are requesting to the WebAuthn specification. Can you please clarify?
Just a note that being added to the provider AAGUID list doesn't all of a sudden remove any restrictions a relying party may have in place. This list is only...
IMO, this is already possible today, and just needs some developer guidance on passkeys.dev: - Related Origin Requests gives you access to the "old" passkey on the new origin. -...
Why do you need to trigger it for logged in users? Why is this different than any other flow where CC is used? IMO, that's an over optimization for a...
Might be good to write out some developer guidance on how to address this right now, and then evaluate what is missing, before getting into too much solutioning. https://github.com/passkeydeveloper/passkeys.dev/issues/452
Alternative (option 2) ```js { "challenge": "", "timeout": 60000, "rpId": "mybank.com", "userVerification": "required", "hints": [ "card", "security-key" ], "purpose": "authorize" } } ```
Proposed list of new hints: - card - badge - ring - contact-card - contactless-card
2025-11-13 TPAC: general agreement to proceed with [proposal 2](https://github.com/w3c/webauthn/issues/2360#issuecomment-3525562095).
> high-risk enterprise workforce scenario. In these scenarios, managed contexts should be leveraged to meet your desired workforce security outcomes. I am not in favor of adding this at the...