W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2016

Re: [webauthn] Move account argument to options

From: Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>
Date: Wed, 28 Sep 2016 07:45:35 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-250095629-1475048733-sysbot+gh@w3.org>
@bifurcation I don't think this is true. The account info tells the 
*authenticator* what to put in a chooser - this is out of reach of the
 UA once the credential is created. This allows for roaming 
authenticators with local storage to do initial logon (as opposed to 
U2F-style password supplement). 

Scenario is something like this: the user comes up to a new machine 
with his rich authenticator, plugs it in to USB for instance, and 
clicks the log in button on foo.com. That site calls getAssertion 
without a credential ID. The authenticator shows the user what 
credentials they have for foo.com so they can pick one. The user 
selects one, and that assertion gets generated. The site verifies the 
assertion, and the user is logged on.

In such situations one cannot require allowList because the site does 
not (and should not) yet know who the user is.

-- 
GitHub Notification of comment by vijaybh
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/219#issuecomment-250095629 
using your GitHub account
Received on Wednesday, 28 September 2016 07:45:44 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:23 UTC