...
- Only support for the authentication ceremony
- Registration ceremony is handled elsewhere, out-of-band e.g. using Privacy Idea, or something else.
- Need a standard way to retrieve the registered credentials;
- or ask the party responsible for registration to generate a CredentialRequestOptions for the authentication ceremony to proceed, and ask it to validate the resulting assertion.
- Support for 'single-factor and '2nd-factor' experiences?
- Statically configured, or determined at runtime:
- This depends on the 'type' of authenticator you have e.g. does it support single-factor webauthn (supports UserVerification) or just 2nd-factor (only supports UserPresence)
- Original CTAP (U2F) with support for only User prescence or CTAP2 (FIDO2) with support for user verification.
- So different Different users may have different keys , or you just say it only supports this, with different functionality. Limit support and say you must have a compatible key.
- See https://www.w3.org/TR/webauthn/#sctn-authenticator-taxonomy
- This depends on the 'type' of authenticator you have e.g. does it support single-factor webauthn (supports UserVerification) or just 2nd-factor (only supports UserPresence)
- Also, requires the authentication request (CredentialRequestOptions) to signal that requirement - easy enough if we control the creation of that, but not if we delegate to say PI?
- Statically configured, or determined at runtime:
- Support for usernameless in addition to passwordless. Depends on Credential Storage Modality.
- Passwordless requires an initial username input step, and key material can be stored IdP side - not on the authenticator.
- Usernameless requires the authenticator to store the public-private key pair, in addition to a user handle specific to that origin (site). Also know as a resident key or discoverable key.
...