Re: [webauthn] Add "willMakeCredentialWorkWithTheseConstraints()" method to the API from Vijay Bharadwaj via GitHub on 2017-04-12 (public-webauthn@w3.org from April 2017)

From: Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>
Date: Wed, 12 Apr 2017 15:44:58 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-293620680-1492011895-sysbot+gh@w3.org>

One clarification - this idea came from @kpaulh and all three browser vendors in that discussion liked it, though maybe we liked it for different reasons. So this is my take, which may be different from what the others think.

In my mind the overall idea is:
- UA takes responsibility for tracking user preferences (e.g. do they ever want to be bothered by any site upselling the plaform authenticator?) and for prompting the user; RP is responsible for orchestrating all flows relating to the credential itself.
- This API is something that could be called indiscriminately by the RP, e.g. whenever it detects that it is running on a host where it has not previously configured a credential on the builtin authenticator. This check and call could perhaps even be in a standard toolbar that the RP always shows at the top of every page. The UA is responsible for converting this to a no-op if the platform does not have a built-in authenticator, or if the user has previously indicated that they don't care to use it for this RP.

I don't think of this as a developer to determine anything. Rather, I think of this as a way for the developer to tell the UA (and hence the user) something along the lines of "here is a thing I can do for you if you're interested, just let me know anytime." There is no expectation that the developer will get a positive (or any) response, but it allows them to present a potentially useful option to the user without fingerprinting the platform and UA in the process. If the user takes them up on the offer, great. If not, no harm done.

So for example you may have logged on to a website with your password and started happily reading your messages, and a little butter bar at the top of the browser tab says did you know you could also set things up so you don't have to enter passwords any more. You click the tell-me-more button, the RP launches a registration flow, and when done returns you to your happy message-reading state. The next time, the logon page just directly asks you to scan your finger, show your face, or whatever else.

I hope that makes things clearer. If not, LMK.

--
GitHub Notification of comment by vijaybh
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/345#issuecomment-293620680 using your GitHub account

Received on Wednesday, 12 April 2017 15:45:04 UTC