Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Functional things to think about

  • Only support for the authentication ceremony
    • Registration ceremony is handled elsewhere, out-of-band e.g. using Privacy Idea, or something else.
    • Need a standard way to retrieve the registered credentials;
      • or ask the party responsible for registration to generate a CredentialRequestOptions for the authentication ceremony to proceed, and ask it to validate the resulting assertion. 
  • Support for 'single-factor and '2nd-factor' experiences?
    • Statically configured, or determined at runtime:
      • This depends on the 'type' of authenticator you have e.g. does it support single-factor webauthn (supports UserVerification) or just 2nd-factor (only supports UserPresence)
    • Also, requires the authentication request (CredentialRequestOptions) to signal that requirement - easy enough if we control the creation of that, but not if we delegate to say PI?
  • Support for usernameless in addition to passwordless. Depends on Credential Storage Modality.
    • Passwordless requires an initial username input step, and key material can be stored IdP side - not on the authenticator.
    • Usernameless requires the authenticator to store the public-private key pair, in addition to a user handle specific to that origin (site). Also know as a resident key or discoverable key.