- From: Adam Langley <agl@google.com>
- Date: Thu, 6 Jun 2024 16:58:13 -0700
- To: SHANE WEEDEN <sweeden@au1.ibm.com>
- Cc: "public-webauthn-adoption@w3.org" <public-webauthn-adoption@w3.org>
- Message-ID: <CAL9PXLwuWN8Sgj5y2AOathV=0dntXByG-TtxYp37dOs5Qpi6WQ@mail.gmail.com>
On Thu, Jun 6, 2024 at 4:34 PM SHANE WEEDEN <sweeden@au1.ibm.com> wrote: > I see some challenges with this part: > > Also, an exclude-list match for a platform authenticator will return > InvalidStateError when authenticatorAttachment is undefined, as it > currently does when set to "platform". > > > > Today, we have a user self-care registration experience that has a generic > “Add a passkey” capability. This results in a create ceremony with no > authenticatorAttachment defined. It allows a user to register either a > platform or roaming authenticator. If the user already has a platform > authenticator registered, they can still add a new roaming authenticator > using this method, even when the excludeCredentials list provided. If I’m > reading your message correctly, that will no longer be the case - the API > will error out immediately. We would either have to: > - remove the excludeCredentials list in our call to create > - have a separate button for “Add a hardware security key” or similar, > which results in create being called with authenticatorAttachment set to > cross-platform > - Catch the InvalidStateError, guess that it’s because of this reason, > then re-invoke create with authenticatorAttachment set to cross-platform > > Again, if I’m interpreting this correctly, it will have a negative impact > on our current deployment. > > Why can’t Chrome, when no authenticatorAttachment is supplied, upon seeing > an excludeCredentials list which matches the platform authenticator, > fallback to the scenario where it will prompt as if cross-platform was > supplied for authenticatorAttachment? > An undefined authenticatorAttachment will start to act, in this respect, like authenticatorAttachment="platform" does today. Thus, if there's an exclude list provided and the user attempts to create a credential in a platform authenticator, the user experience will be the same as if there was no exclude list, but rather than overwriting the excluded credential, InvalidStateError is silently returned. So it's not the case that an exclude list will cause an immediate error. The user will do the full ceremony with the platform authenticator and the site learns that the device was already registered. Some sites show a notice when that happens, but some consider it to be fine: the user wanted a credential in that platform authenticator and indeed there is one. Cheers AGL
Received on Thursday, 6 June 2024 23:58:38 UTC