emlun/README.md

Last active February 20, 2020 15:19

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/emlun/4c3efd99a727c7037fdb86ffd43c020d.js"></script>
Save emlun/4c3efd99a727c7037fdb86ffd43c020d to your computer and use it in GitHub Desktop.

Download ZIP

DRAFT: WebAuthn recovery credentials extension

Raw

This document has moved; its new address is: https://github.com/Yubico/webauthn-recovery-extension

Author

emlun commented Nov 6, 2019

However, one thing is still unclear to me: since username is not involved (that's the whole point of resident credentials), a user handle, which identifies the user, is stored on the main authenticator. So when using the backup authenticator, how does RP know which user account to recover credentials for?

Right, good point. Our proposal does not cover accounts that are identified solely by a user handle, i.e., that don't have a username at all. That's not the entire point of resident credentials, though - it's one use case enabled by them, but I expect the most common use case for them will be to ease day-to-day login flows but still have a username to fall back to.

which banks or other financial institutions do you know which support U2F?

I know Coinbase does, although they don't seem to place requirements on the what authenticator you can use. Either way, with regulations such as PSD2 in the EU, attestation will be important if WebAuthn is to be even evaluated for some use cases.

Author

emlun commented Feb 20, 2020

Note to watchers:

This document has moved; its new address is: https://github.com/Yubico/webauthn-recovery-extension

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment