[webauthn] Ignore transport hints in excludeCredentials? (#1348) from Emil Lundberg via GitHub on 2019-11-19 (public-webauthn@w3.org from November 2019)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 19 Nov 2019 15:23:55 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-525079199-1574177033-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Ignore transport hints in excludeCredentials? ==
[`PublicKeyCredentialCreationOptions.excludeCredentials`](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-excludecredentials) is currently a sequence of type `PublicKeyCredentialDescriptor`, which can include transport hints. Is there a use case for considering transport hints in `excludeCredentials`, or should we mandate that clients ignore them in `create()`?

For example, say you register a credential `A` on an Android phone, and the client at the time returns `getTransports(): ["internal"]`. At some later time, Android releases a software upgrade that makes these credentials available over Bluetooth as well. The user connects the phone to a laptop and initiates credential registration, and the RP returns `excludeCredentials: [{ type: "public-key", id: "A", transports: ["internal"] }]`. Now, if the client does consider the transport hints and does not include `A` in the exclude list sent to the authenticator, then the user can register their phone twice to the same account. This is what `excludeCredentials` is intended to prevent.

So I think it probably makes sense to mandate ignoring transport hints in `excludeCredentials`. Ideally the type wouldn't allow them, but I'm not sure this is worth breaking the API.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1348 using your GitHub account

Received on Tuesday, 19 November 2019 15:24:02 UTC