-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mobile support #1045
Comments
AFAIK the "platforms" (e.g., Windows, Android) wish to address this in platform-specific manners. Also AFAIK, see here for Android: https://developers.google.com/identity/smartlock-passwords/android/associate-apps-and-sites |
I think there's application-level answer, it is as Jeff said, up to the platform. In my opinion, I think WebAuthn can leave additional restrictions on RP ID as an exercise to the platform implementations and their documentation. |
on 19-Sep call, decided we should just add a little note that points off to the appropriate docs (see #1045 (comment)) tho we ostensibly need a link for Windows, other wise we could just say "see platform docs/guides as appropriate" and not have any links. @akshayku argues that such links change fairly often, so wants to just use something like the propoesed test above. |
I'll add a quick PR to add this to the introduction with text that says something like: Section 1.3
|
Looks fine to me. |
#1045 (comment) LGTM, thx @jcjones ! |
+1. Let's merge it in. |
Closed by 802613e |
Honestly, I don't think that it is the solution, it is rather a workaround. It doesn't solve the problem "how do I share the key between web authentication and the app" but instead it shares the whole login through proprietary third-party system. I think such a decision will hurt federated nature of the web and will slow down Webauthn adoption significantly. Another workaround is apps like "yubico authenticator" which shouldn't really exist if Webauthn is adopted. May it be implemented as an extension? u2f has this and it should be possible to tell hardware key "yes, we want to generate the same key in this case". This capability totally makes sense to me and it is already implemented by some hardware so I see no reason why it should be completely ignored. |
I appreciate the objection and the desire to use the WebAuthn infrastructure for non-web things, but ultimately WebAuthn is a www standard and fundamentally tied to web- and browser infrastructure. Non-web things, although related, are unfortunately off topic, so I don't think it's appropriate to specify normative implementation guidance for them here. |
We at Tutanota were trying to migrate from the legacy u2f API to Webauthn.
The moment that confuses us is a support for scenarios, where mobile apps are involved. With u2f APIs it is possible to specify possible domains and/or other identificatiors for apps but we've found no mention of relaxing RP ID requirements in the current standard.
Should it be covered by another standard, e.g. CTAP/FIDO2 or it should be a part of Webauthn spec but is deliberately omitted?
Thanks.
The text was updated successfully, but these errors were encountered: