- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 13 Apr 2018 17:23:56 +0000
- To: public-webauthn@w3.org
I'm not sure this would make for the best user experience. I agree that it's valuable to be able to inform the user that an authenticator doesn't have any applicable credentials, but could that be done by the browser instead of the RP?
In https://bugs.chromium.org/p/chromium/issues/detail?id=828567 you say:
>[...] after discovering that an authenticator does not contain any of the credentials in allowCredentials, we send additional winking commands anyways.
If the browser has this knowledge, why not present that to the user directly? As pointed out in #867, it would likely make for a confusing and frustrating user experience if multiple authenticators light up when only one of them can generate a valid response.
I imagine it could look something like this:
1. RP calls `navigator.credentials.get({ ... allowCredentials: [{ id: "foo" }] })`
2. User's device has no a platform authenticator, or `foo` is not on the platform authenticator
3. Browser prompts "Please insert your security key."
4. User plugs in an authenticator that doesn't contain `foo`
5. Browser prompts "This security key is not accepted for this authentication, please try a different one." and does not send the command to the authenticator
6. User plugs in another authenticator that doesn't contain `foo` (while the first is still connected)
7. Browser prompts "None of the connected security keys is accepted for this authentication, please try a different one." and does not send the command to the authenticator
8. User plugs in an authenticator that does contain `foo`
9. Browser sends the command to the authenticator and the authentication ceremony proceeds as normal
Would that work?
--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/863#issuecomment-381205024 using your GitHub account
Received on Friday, 13 April 2018 17:23:59 UTC