Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for credential backup flags #378

Merged
merged 2 commits into from
Feb 1, 2023

Conversation

santiagorodriguez96
Copy link
Contributor

@santiagorodriguez96 santiagorodriguez96 commented Nov 14, 2022

What

Add ability to access the backup_eligibility and backup_state flags in the authenticator data.

Introduces the methods PublicKeyCredential#backup_eligible? and PublicKeyCredential#backed_up? to access them.

Why

Level 3 of the draft adds this flags to the Authenticator Data: https://w3c.github.io/webauthn/#sctn-credential-backup. Those flags can be used to get information about credential's backup eligibility and current backup state. With the introduction of multi-device FIDO credentials, this information can be useful for Relying Parties. According to the documentation:

The following is a non-exhaustive list of how Relying Parties might use these flags:

  • Upgrading a user to a password-free account:

    When the BS flag changes from 0 to 1, the authenticator is signaling that the credential is backed up and is protected from single device loss.

    The Relying Party MAY choose to prompt the user to upgrade their account security and remove their password.

  • Adding an additional factor after a state change:

    When the BS flag changes from 1 to 0, the authenticator is signaling that the credential is no longer backed up, and no longer protected from single device loss. This could be the result of the user actions, such as disabling the backup service, or errors, such as issues with the backup service.

    When this transition occurs, the Relying Party SHOULD guide the user through a process to validate their other authentication factors. If the user does not have another credential for their account, they SHOULD be guided through adding an additional credential to ensure they do not lose access to their account. For example, the user could be prompted to set up an additional authenticator, such as a roaming authenticator or an authenticator that is capable of multi-device credentials.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant