You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In section 3, FIDO re-authentication, it is stated that "If the user clicks on “Next”, then check whether you have a credential id associated with the user and device (for example, check a cookie or read from local storage)."
Two points that I think are worth addressing here:
Safari, with ITP support, would actually delete local storage or JS-accessible cookies after 7 days without use. So if we recommend using either here -- need to make sure that implementers are aware that this will need to have some sort of fallback (what that fallback would be?). Alternatively suggest using HTTP-only cookies which aren't deleted after 7 days and possibly mirroring their values back to the client by the Server.
On Windows different browsers (e.g Chrome and Edge) use the platform's FIDO2 client, which shares registered platform-attached credentials among applications. So if I go to https://www.example.com from Chrome and register a platform-attached credential, then I go to https://www.example.com from Edge -- that platform-attached credential should be made available to me. But since cookies / local storage aren't shared by browsers -- this won't be reflected to the user.
We should, at a minimum, refer to this in this document -- not to mention work on the standard further to accommodate this use case.
The text was updated successfully, but these errors were encountered:
In section 3, FIDO re-authentication, it is stated that "If the user clicks on “Next”, then check whether you have a credential id associated with the user and device (for example, check a cookie or read from local storage)."
Two points that I think are worth addressing here:
Safari, with ITP support, would actually delete local storage or JS-accessible cookies after 7 days without use. So if we recommend using either here -- need to make sure that implementers are aware that this will need to have some sort of fallback (what that fallback would be?). Alternatively suggest using HTTP-only cookies which aren't deleted after 7 days and possibly mirroring their values back to the client by the Server.
On Windows different browsers (e.g Chrome and Edge) use the platform's FIDO2 client, which shares registered platform-attached credentials among applications. So if I go to https://www.example.com from Chrome and register a platform-attached credential, then I go to https://www.example.com from Edge -- that platform-attached credential should be made available to me. But since cookies / local storage aren't shared by browsers -- this won't be reflected to the user.
We should, at a minimum, refer to this in this document -- not to mention work on the standard further to accommodate this use case.
The text was updated successfully, but these errors were encountered: