- From: Adam Langley <agl@google.com>
- Date: Fri, 7 Jun 2024 06:25:16 -0700
- To: SHANE WEEDEN <sweeden@au1.ibm.com>
- Cc: "public-webauthn-adoption@w3.org" <public-webauthn-adoption@w3.org>
- Message-ID: <CAL9PXLyo7=B9Cj1Nb+ECYL2J5Y4-s6D7eN5-RU5916DeAAUYTQ@mail.gmail.com>
On Thu, Jun 6, 2024 at 5:14 PM SHANE WEEDEN <sweeden@au1.ibm.com> wrote: > Thanks Adam, > > At least on Mac, if I specify authenticatorAttachment=platform, there are > no “Other options” present during the create dialog such that a HSK (or > hybrid flow) could be registered in that ceremony. What I actually get is > an experience that goes straight to Apple iCloud Keychain if enabled, and > if I cancel out of that then I get a fallback to the choice between Chrome > profile and Apple iCloud Keychain (both platform options). > That is correct: security keys and hybrid are considered cross-platform and thus not options when authenticatorAttachment=platform. (This is why we're worried when sites tell us that they are setting, or plan to set, authenticatorAttachment=platform in all cases, just to get the platform authenticator by default.) The question I have is … if I don’t specify authenticatorAttachment at all, > is there a path (and what is it) for the user to register a security key > (or the hybrid flow) during that ceremony? > Yes. If the platform authenticator is provided via Chrome UI then there's a "Save another way" option. If the iCloud Keychain UI appears then one can cancel out of it to see the other options. (On macOS, one can also just tap the security key whatever the UI.) On Windows, the Hello UI will already offer security key options. > Ideally it would be great if UX-changing experiences like this could be > pre-released under a flag (or via some other mechanism such as canary, etc) > so that folks in the know can try them out and understand any impact before > it hits the general public. If this is already in Canary, or planned to be > available in Canary soon, then great - please let us know such that we can > go experiment. I tried Canary today (127.0.6524.0) without specifying > authenticatorAttachment, and see the same behaviour as I do in GA Chrome > (125.0.6422.142), which is the "mechanism selection” UI. > Changes such as these are nearly always available in Canary some weeks prior to release. In this case, 127.0.6525.0 (which should be available by Monday) should contain the attachment changes. Cheers AGL
Received on Friday, 7 June 2024 13:25:45 UTC