diff --git a/index.bs b/index.bs index 06bcd0af9..e005beb53 100644 --- a/index.bs +++ b/index.bs @@ -32,6 +32,7 @@ Former Editor: Angelo Liao, w3cid 94342, Microsoft, huliao@microsoft.com Former Editor: Rolf Lindemann, w3cid 84447, Nok Nok Labs, rolf@noknok.com !Contributors: John Bradley (Yubico) !Contributors: Christiaan Brand (Google) +!Contributors: Tim Cappalli (Microsoft) !Contributors: Adam Langley (Google) !Contributors: Giridhar Mandyam (Qualcomm) !Contributors: Matthew Miller (Cisco) @@ -3544,7 +3545,13 @@ laid out as shown in Table Table . + +The values of bits 3 and 4 may change over time based on the state of the [=authenticator=]. Table below defines +valid combinations and their meaning. + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
Bit 3 valueBit 4 valueDescription
`0``0` + The credential is a single-device credential and cannot become a multi-device credential +
`0``1` + This combination is not allowed +
`1``0` + The credential is currently a single-device credential but may become a multi-device credential in the future +
`1``1` + The credential is a multi-device credential +
+
+ [=Authenticator data=] bits 3 and 4 combinations +
+
+ +It is recommmended that [=Relying Party|Relying Parties=] store the last value of these bits with the user account for future evaluation. + +The following is a non-normative, non-exhaustive list of how [=Relying Party|Relying Parties=] may utilize these bits: + + - Requiring additional [=authenticators=]: + When bit 3 is set to `0`, the [=authenticator=] will never allow the credential to transition from a single-device credential to + a multi-device credential. + + A single-device credential is not durable and cannot survive single device loss. [=Relying Party|Relying Parties=] + should ensure that an account has additional [=authenticators=] enrolled and/or an account recovery process in place. + + For example, the user could be prompted to set up a single-device credential on a [=roaming authenticator=], like a + security key, or another [=authenticator=] that is capable of holding multi-device credentials. + + - Upgrading a user to a password-free account: + When bit 4 changes from `0` to `1`, the [=authenticator=] is signaling that the [=Public Key Credential Source|credential source=] + is durable (it has been backed up and is protected from single device loss). This is often referred to as a multi-device credential. + + A [=Relying Party=] may decide to prompt the user to upgrade their account security and remove their password. + + - Adding an additional factor after a state change: + When bit 4 changes from `1` to `0`, the [=authenticator=] is signaling that the [=Public Key Credential Source|credential source=] + is no longer durable (not backed up and is not protected from single device loss). This could be the result of the user deleting the + credential, deleting a backup account, an issue with the backup service, or another undefined error condition. + + When this transition occurs, the credential is no longer durable and a [=Relying Party=] should guide the user through a process to + validate their other sign in factors. If the user does not have another durable credential for their account, they should be guided + through adding an additional authentication factor to ensure they do not lose access to their account. An example would be prompting + the user to set up a single-device credential on a [=roaming authenticator=], like a security key, or another [=authenticator=] that + is capable of holding multi-device credentials. + ## Authenticator Taxonomy ## {#sctn-authenticator-taxonomy} Many use cases are dependent on the capabilities of the [=authenticator=] used.