- From: Adam Langley <agl@google.com>
- Date: Thu, 6 Jun 2024 16:02:59 -0700
- To: public-webauthn-adoption@w3.org
- Message-ID: <CAL9PXLwx4yGoXs0FqjzwiL8bFSGzdQa6On103n=5O-ko-sRSdw@mail.gmail.com>
Dear all, For create() requests where the authenticatorAttachment <https://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-authenticatorattachment> is undefined, Chrome has traditionally shown its "mechanism selection" UI. Several sites have said that this is confusing for users and that it's pushing them to always set "platform" attachment, even when a cross-platform authenticator would be acceptable. Thus, in Chrome 127, we expect the UI in this case to default to a platform authenticator (where available), just as setting "platform" does. Cross-platform authenticators will still be available if the user wishes. Also, an exclude-list match for a platform authenticator will return InvalidStateError when authenticatorAttachment is undefined, as it currently does when set to "platform". Secondly, if Chrome is signed into a Google account that also has an Android phone on it, and a passkey has been created in Google Password Manager (GPM) on that Android phone, Chrome 127 may no longer require the user to use their phone in order to create and exercise GPM passkeys. (This information is provided to highlight planned future changes but does not represent a commitment to ship these behaviours in the specified timeline, or at all.) Cheers AGL
Received on Thursday, 6 June 2024 23:03:20 UTC