RE: API consumer question: How do we recover Credential?

Isn’t it true that under the current structure (with non-optional attestation) the makeCredential response gives you enough info to tell which kind you’re dealing with? So maybe an RP would first ask the user to produce either a username/password OR a first-factor authenticator (by calling getAssertion without a credential list), and if they produced the password they’d be prompted for a second factor (this time with the list).

From: Dirk Balfanz [mailto:balfanz@google.com]
Sent: Monday, July 18, 2016 3:23 AM
To: Hodges, Jeff <jeff.hodges@paypal.com>; Vijay Bharadwaj <vijaybh@microsoft.com>; J.C. Jones <jc@mozilla.com>
Cc: W3C WebAuthn WG <public-webauthn@w3.org>
Subject: Re: API consumer question: How do we recover Credential?

I would point out here that the question is not so much whether the authenticator can be used with or without the whitelist. While the spec says that the whitelist is optional, the two use cases that we currently have experience implementing (U2F and UAF) might as well require the whitelist to be there - certainly they are used in situations where the whitelist is known before the call to getAssertion() is made. If it makes our lives easier, I wouldn't mind making the whitelist required for now (although at some point we'd probably want to go back and look into how to enable use cases where one doesn't know the whitelist a priori).

That still doesn't solve the question, though, how the RP knows what kind of authenticator it's dealing with, as I explained in the thread Jeff pointed to: https://lists.w3.org/Archives/Public/public-webauthn/2016May/0281.html


Dirk.


On Mon, Jul 18, 2016 at 9:12 AM Hodges, Jeff <jeff.hodges@paypal.com<mailto:jeff.hodges@paypal.com>> wrote:
On 7/17/16, 5:52 PM, "Vijay Bharadwaj" <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>> wrote:
>Could use the AAGUID in conjunction with metadata service.

yes, see..

<https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-authnr-m

etadata-v1.0-ps-20141208.html#metadata-keys>

..specifically the isSecondFactorOnly boolean.


> Or we could add a flag to be returned by authenticator at makeCredential
>time.

this notion intersects with the discussion in the "use cases" thread..

https://lists.w3.org/Archives/Public/public-webauthn/2016Jun/0086.html


..the difference being the latter discussion is regarding the webauthn RP
expressing a preference for authnr feature(s), and the former is the
authnr itself attesting to its feeature(s).  in any case, we could use the
same mechanism (eg bit flags) to express this in both cases.

HtH,

=JeffH




>
>From: J.C. Jones [mailto:jc@mozilla.com<mailto:jc@mozilla.com>]
>
>Sent: Sunday, July 17, 2016 5:40 AM
>To: Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>>
>Cc: W3C WebAuthn WG <public-webauthn@w3.org<mailto:public-webauthn@w3.org>>
>Subject: Re: API consumer question: How do we recover Credential?
>
>Rolling it into #60 makes sense to me.
>
>On Fri, Jul 15, 2016 at 11:18 PM, Vijay Bharadwaj <vijaybh@microsoft.com<mailto:vijaybh@microsoft.com>>
>wrote:
>
>So couldn¹t an RP tell this from the attestations? It would know which of
>its credentials will or will not work without
> the optional argument, and could do the UI accordingly.
>
>
>
>
>
>
>There's nothing to my knowledge in the attestation certificate to
>identify how an authenticator functions; it would be up to the RP to
>define something using out-of-band knowledge, wouldn't it?
>
>Or you could define a heuristic that says, if a Credential's
>id field is very long, then it's probably an authenticator which doesn't
>remember keys.
>
>That's all that occurs to me, anyway!
>
>J.C.
>
>
>
>
>
>
>
>
>
>
>