Re: [webauthn] Add "willMakeCredentialWorkWithTheseConstraints()" method to the API from Vijay Bharadwaj via GitHub on 2017-02-24 (public-webauthn@w3.org from February 2017)

From: Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>
Date: Fri, 24 Feb 2017 18:57:07 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-282373925-1487962626-sysbot+gh@w3.org>

>> As an example use case, a user logs in to the RP. If the call is 
successful..
> This is assuming that the login is a legacy one (e.g. via form-based
 ("password") authentication) not using WebAuthn/FIDO means, yes?

I'm not sure that logging in to the RP is even a required part of the 
use case. It could be that the RP offers this option right on their 
login page to anonymous users. @kpaulh do you agree?

> By "the authenticator" do you mean to say "an available platform 
authenticator"? During the discussion at the end of the F2F meeting I 
recall that roaming authenticators (i.e., those with a cross-platform 
attachment) were not considered candidates for this use case -- is 
that still the intention?

That's one possible use case. But the converse is also possible - e.g.
 a site is trying to figure out whether to upsell you to creating a 
roaming authenticator for recovery purposes so you can do away with 
KBA (i.e. the mother's maiden name style questions). Would like to 
hear from other RPs if they see this as a use case.

> Also, this use case depends upon the RP webapp developers to 
explicitly take advantage of the availability of this method and to 
weave it properly into their login flows, yes? If they do not do so, 
then perhaps there is still need for possibly throwing a 
"NotFoundError" as anticipated in #302 and #350 ? @vijaybh ?

On reflection, I think these are just orthogonal. This "willMCWork()" 
is a prelude to the upsell flow, i.e. before deciding to call 
makeCredential(). Regardless of how well or poorly the RP does things,
 there is still a desire to not hang the UI (from the user's PoV) when
 there is no authenticator found after calling makeCredential(). e.g. 
maybe we're looking for a roaming authenticator, platform says it will
 work because it knows the user has a USB dongle in their pocket, RP 
calls makeCredential() but dongle is not inserted.

-- 
GitHub Notification of comment by vijaybh
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/345#issuecomment-282373925 
using your GitHub account

Received on Friday, 24 February 2017 18:57:14 UTC