- From: SHANE WEEDEN <sweeden@au1.ibm.com>
- Date: Sat, 8 Jun 2024 00:06:58 +0000
- To: Adam Langley <agl@google.com>
- CC: "public-webauthn-adoption@w3.org" <public-webauthn-adoption@w3.org>
- Message-ID: <F45B2251-87F0-47EB-8688-9C4E02F5EE70@au1.ibm.com>
Thanks Adam - that’s all manageable. Cheers, Shane. On 7 Jun 2024, at 11:25 PM, Adam Langley <agl@google.com> wrote: This Message Is From an External Sender This message came from outside your organization. <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/AdhS1Rd-!-XFVHHmzfgJ0fN6Zb0rBv00EK_tDMtKnjhq6zGYueCTPnMnHugUgEFC8uP3bNpmxl0ggTpdnYLjApZ3aOF22Qe3ws0KyNucFYcQYvJdd55azQTqZYrm_uaPvLZc$> Report Suspicious On Thu, Jun 6, 2024 at 5:14 PM SHANE WEEDEN <sweeden@au1.ibm.com<mailto:sweeden@au1.ibm.com>> wrote: Thanks Adam, At least on Mac, if I specify authenticatorAttachment=platform, there are no “Other options” present during the create dialog such that a HSK (or hybrid flow) could be registered in that ceremony. What I actually get is an experience that goes straight to Apple iCloud Keychain if enabled, and if I cancel out of that then I get a fallback to the choice between Chrome profile and Apple iCloud Keychain (both platform options). That is correct: security keys and hybrid are considered cross-platform and thus not options when authenticatorAttachment=platform. (This is why we're worried when sites tell us that they are setting, or plan to set, authenticatorAttachment=platform in all cases, just to get the platform authenticator by default.) The question I have is … if I don’t specify authenticatorAttachment at all, is there a path (and what is it) for the user to register a security key (or the hybrid flow) during that ceremony? Yes. If the platform authenticator is provided via Chrome UI then there's a "Save another way" option. If the iCloud Keychain UI appears then one can cancel out of it to see the other options. (On macOS, one can also just tap the security key whatever the UI.) On Windows, the Hello UI will already offer security key options. Ideally it would be great if UX-changing experiences like this could be pre-released under a flag (or via some other mechanism such as canary, etc) so that folks in the know can try them out and understand any impact before it hits the general public. If this is already in Canary, or planned to be available in Canary soon, then great - please let us know such that we can go experiment. I tried Canary today (127.0.6524.0) without specifying authenticatorAttachment, and see the same behaviour as I do in GA Chrome (125.0.6422.142), which is the "mechanism selection” UI. Changes such as these are nearly always available in Canary some weeks prior to release. In this case, 127.0.6525.0 (which should be available by Monday) should contain the attachment changes. Cheers AGL
Received on Saturday, 8 June 2024 00:07:07 UTC