Hacker News new | ask | show | jobs
by Hamuko 1503 days ago
Tell the services you interact with that they're basically going against the spec.

"Relying Parties SHOULD allow and encourage users to register multiple credentials to the same account. Relying Parties SHOULD make use of the excludeCredentials and user.id options to ensure that these different credentials are bound to different authenticators."
1 comments
2OEH8eoCRo0 1503 days ago
Is it a SHOULD vs SHALL issue? Link to full spec?
link
Hamuko 1503 days ago
It's SHOULD as per RFC2119, so basically you need to have a good reason with an understanding of the implications to ignore it.

One of the implications here being that you have zero available authenticators if your main authenticator breaks.

https://www.w3.org/TR/webauthn-2/

link