Firstyear
Firstyear
We could have an api that returns the servers uuid instead, as that's still unique, non-identifiable, and gives you a way to check this.
It would probably make more sense if this was a preference for users to allow reordering rather than it being a central ordering - for example, other providers like okta...
Yeah. But at the same time, the proxy layer also is hard because then we miss out on a lot of integration options and polish. I'm going to try to...
@twoolie Thanks for this, I added some updates to the doc clarify some parts in response to some of your comments.
> My request is related to a high-risk enterprise workforce scenario. > As a Relying Party I want to be able to opt-out of the [Hybrid transport](https://fidoalliance.org/specs/fido-v2.2-ps-20250714/fido-client-to-authenticator-protocol-v2.2-ps-20250714.html) > flow (cross‑device...
> I agree that clientDataJSON seems to be a better place than authenticatorData for such kind of fix as the authenticator might not even be aware of hybrid being used....
> > The only viable option is attestation - this allows you to precisely control the authenticators in use > > [@Firstyear](https://github.com/Firstyear) why should that technically prevent the hybrid flow?...
I could have sworn we already had an open issue for this feature, but I can't find it. It is something we do want to add in the future.
Only concern I have is we need a similar PR in the 6.0 branch at some point.
> I'd say an option to "ignore invalid creds and alert the admin" would be a valid option in this case - the admin would have to manually start a...