Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for credential backup flags #378

Merged
merged 2 commits into from
Feb 1, 2023
Merged

Add support for credential backup flags #378

merged 2 commits into from
Feb 1, 2023

Conversation

santiagorodriguez96
Copy link
Contributor

@santiagorodriguez96 santiagorodriguez96 commented Nov 14, 2022
edited
Loading

What

Add ability to access the backup_eligibility and backup_state flags in the authenticator data.

Introduces the methods PublicKeyCredential#backup_eligible? and PublicKeyCredential#backed_up? to access them.

Why

Level 3 of the draft adds this flags to the Authenticator Data: https://w3c.github.io/webauthn/#sctn-credential-backup. Those flags can be used to get information about credential's backup eligibility and current backup state. With the introduction of multi-device FIDO credentials, this information can be useful for Relying Parties. According to the documentation:

The following is a non-exhaustive list of how Relying Parties might use these flags:

  • Upgrading a user to a password-free account:

    When the BS flag changes from 0 to 1, the authenticator is signaling that the credential is backed up and is protected from single device loss.

    The Relying Party MAY choose to prompt the user to upgrade their account security and remove their password.

  • Adding an additional factor after a state change:

    When the BS flag changes from 1 to 0, the authenticator is signaling that the credential is no longer backed up, and no longer protected from single device loss. This could be the result of the user actions, such as disabling the backup service, or errors, such as issues with the backup service.

    When this transition occurs, the Relying Party SHOULD guide the user through a process to validate their other authentication factors. If the user does not have another credential for their account, they SHOULD be guided through adding an additional credential to ensure they do not lose access to their account. For example, the user could be prompted to set up an additional authenticator, such as a roaming authenticator or an authenticator that is capable of multi-device credentials.

@santiagorodriguez96 santiagorodriguez96 marked this pull request as ready for review November 15, 2022 14:55
@santiagorodriguez96 santiagorodriguez96 mentioned this pull request Feb 1, 2023
Closed
@santiagorodriguez96 santiagorodriguez96 merged commit 4316a3e into master Feb 1, 2023
@santiagorodriguez96 santiagorodriguez96 deleted the add_support_for_credential_backup_flags branch February 1, 2023 19:12
@hagould hagould mentioned this pull request Feb 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brauliomartinezlm brauliomartinezlm Awaiting requested review from brauliomartinezlm

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@santiagorodriguez96