-
Notifications
You must be signed in to change notification settings - Fork 178
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update top level use cases to account for multi-device credentials #1720
Comments
Will these use cases also discuss when RP's want to exclude multi-device credentials? |
Proposed text and/or PRs are welcome! |
Sure, I was in the middle of writing these up for a blog anyway, so I'll submit some text and and overview of this from the view of an RP/Enterprise and public site that would want this. |
@MasterKale cc you probably have use cases here we should think about too. |
So, some draft use cases. Especially as someone who implements an RP, and works with a lot of people deploying theirs, I think this boils down to a set of five possible scenarioes and workflows. Security Token (Public) In this use case, we want our authenticator to be a single factor to compliment an existing password. Generally in this use case, most identity providers do not care about attestation of the authenticator, Step wise this would appear as: Registration:
Authentication:
Security Token (Corporate) This is the same as the public use case, except that in many corporations we may want to define a list For this example, we likely want attestation, as well as the ability to ensure these credentials are Since these are guided by policy, we likely want to have our userinterfaces guide our users to register The changes to the workflow in this example are based in the registration. Registration:
Passwordless (Public) In this example, rather than having our authenticator as a single factor, we want it to be truly As a result, we need to strictly verify that the authenticator did a valid user verification. Given that the authenticator is now the "sole" authenticator (even if multi-factor) we are more Registration:
Authentication:
Passwordless (Corporate) Again, this is similar to above. We narrow and focus this use case with a stricter attestation list Registration:
Usernameless Usernameless is similar to passwordless but requires resident keys as the username of the account It's worth noting that due to the complexity and limitations of resident key management it is not feasible Registration
Authentication:
|
The current top level use cases (
sctn-use-cases
) were written prior to the multi-device credential effort and should be rewritten to include this new topic.Be sure to include: #1735
The text was updated successfully, but these errors were encountered: