Tell the services you interact with that they're basically going against the spe... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Hamuko on May 5, 2022 \| parent \| context \| favorite \| on: Apple, Google and Microsoft Commit to Expanded Sup... Tell the services you interact with that they're basically going against the spec. "Relying Parties SHOULD allow and encourage users to register multiple credentials to the same account. Relying Parties SHOULD make use of the excludeCredentials and user.id options to ensure that these different credentials are bound to different authenticators."

2OEH8eoCRo0 on May 5, 2022 [–]

Is it a SHOULD vs SHALL issue? Link to full spec?

Hamuko on May 5, 2022 | [–]

It's SHOULD as per RFC2119, so basically you need to have a good reason with an understanding of the implications to ignore it.

One of the implications here being that you have zero available authenticators if your main authenticator breaks.

https://www.w3.org/TR/webauthn-2/

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact