Re: [webauthn] Specify authenticator attachment for authentication operation (#1267)

Seems like I always get the pleasure of responding to the big threads :)

This issue has come up again-and-again, and my thinking hasn't really changed on this matter much over the last two years:

1. If an RP has an "ambient" credential, they can happily pass in a credentialId (or more than one credentialId), annotate the "transport" of all of these as "internal" and no UI will be presented to attach external authenticators even if none of the credentialIds are found locally. In this particular error-case, UI will be presented to the user that says "something went wrong - no requested credentials were found locally", and upon the user dismissing the dialog, an error will be sent through to the RP so they can handle the failure. Note that it's imperative to show UI to the user and have them dismiss the prompt before sending an error to the RP, otherwise RPs would silently be able to "probe" whether credentials are available on internal authenticators without the user knowing. I think we said before that that's bad.

2. If an RP does *not* have any ambient credential from which to derive a credentialId (or set of credentialIds), the only option is to call Get with an empty allowlist. In this particular case, there's no way to tell the Client to restrict operation to only platform authenticators, but I believe that's by-design. In the case where credentials for this rpid IS found, an account chooser will be rendered (even if only a single credential is found) where the user can indicate *consent* for sending proof of this particular credential to the server. After selecting the credential, UV might be required if it was requested by the RP.

In all cases there's small text at the bottom of the account chooser telling a user that, if they're not seeing the credential they're looking for in this list, they can attach an external authenticator to enumerate it's credentials too.

In the case where NO matching credentials are found on the platform (internal) authenticator, we will STILL show an account chooser. But this time it will be empty. The message at the bottom will still be there telling the user that they can attach external security keys now if they have them. The idea is that this message is non-intrusive, and that users who know nothing about security keys won't get confused.

This "empty account chooser" solves two problems:
1. It serves as a "consent" screen for letting the RP know that no credentials are found if the user dismisses it (again, we don't just want to tell the RP without any user interaction whether a given platform contains credentials for it. the user won't be able to supress the error message, but it will be indistinguishable from an error when there ARE credentials but the user chose to abort the request)
2. It incentivizes RPs to support external authenticator: in a not too distant future I might be registering a platform authenticator on Android, only to try and sign in on my laptop later that night. Even if an RP said "I only want platform credentials" I want to give the user the option to "present" their phone as a "remote, platform authenticator" and need that option to do it. Without having to go back to all RPs to convince them to change their implementations.

Happy to talk more about this in person.

-- 
GitHub Notification of comment by christiaanbrand
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1267#issuecomment-533834367 using your GitHub account

Received on Saturday, 21 September 2019 22:24:04 UTC