How should website authors "get or create"? #1533
Comments
|
I think your answers ought to be addressed in https://github.com/fido-alliance/how-to-fido/blob/master/HowToFIDO.md --- a subtle-but-important aspect of making this work smoothly is for the platform authenticator to support discoverable credentials, such that the RP does |
Indeed, I'd love to be able to rely on resident key/client-side discoverable credentials. But since Android Chrome doesn't support them (yet), is there something better if we want to support all the major platform authenticators in the short term? |
Another point that has been fuzzy for me...when would a site know to trigger a call to |
|
Though, I failed to note (apologies) that how-to-FIDO does guide one on how to have a good user experience even in the abscence of platform authenticator discoverable credentials. i.e., discoverable credentials are not necessarily essential. |
|
We suggest further discussion of this be taken up at https://github.com/fido-alliance/how-to-fido/blob/master/HowToFIDO.md since there is not an issue here with the webauthn spec per se, and are closing this issue. |
Add conditional UI flow This PR enables a non-modal "conditionally mediated" UI feature for WebAuthn which RPs may utilize to provide a credential selection UI only if the user has a discoverable credential registered with the Relying Party on their authenticator (the latter being the "condition"). The credential is displayed alongside an autofilled username or password input field. This helps RPs solve the "bootstrapping problem" when migrating their user base from traditional username and password to WebAuthn: websites can fire a WebAuthn call while showing their typical username and/or password prompt without worrying about showing a modal dialog error if the device lacks appropriate credentials. See also: https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI Fixes #1545 Overview "omnibus" issue: #1637 See also discussion in Issues #1356 #1533 #1568 Co-authored-by: Nina Satragno <[email protected]> Co-authored-by: Jeff Hodges <[email protected]> Co-authored-by: Emil Lundberg <[email protected]> Co-authored-by: Matthew Miller <[email protected]>
Suppose a site is trying to implement "trusted device" functionality, as suggested at https://w3c.github.io/webauthn/#sctn-authenticator-attachment-modality.
The first registration is easy:
isUserVerifyingPlatformAuthenticatorAvailable().Suppose that the user now signs into another browser that shares the same platform authenticator (e.g. using Windows Hello).
Also suppose that the site would like the user to be able to associate the new browser with the existing trusted device, so that they can be managed together. (Among other things, this allows users to manage and trust actual physical devices like "Alice's Surface Pro" instead of browser sessions.) In this case, the site would need to either
getwhich platform authenticator is associated with the existing device, orcreatea new one if needed. I see two options:Both of these cause "unnecessary" confusion for the user — compare this to the simplicity of authenticator flows for any native mobile app. Is there any way to avoid this, either with the current spec or any likely future changes?
The text was updated successfully, but these errors were encountered: