|
|
|
|
|
|
by dwaite
1506 days ago
|
|
|
https://www.chromium.org/security-keys/ , under 'Site Attestation Requirements' For anything consumer facing (vs employee/contractor facing), the expectation is that a relying party site accepts everything, or supports a set with a clear industry-defined set of limitations (e.g. must have gone through certification and achieved a certain level such that they meet our security regulations). The set of limitations which you can set during an authentication request are pretty minimal, on purpose - so you will typically have more prompts and more user errors if you decide to try and limit consumer choice. Other than that, the expectation is that you do not block end users if they e.g. are using one vendor or the other. You may still ask them to perform additional authentication steps, but the goal is that people do not get conflicting requirements across relying parties that leads them to have to carry a key ring of different vendor USB authenticators in order to be able to do their business. |
|
|