[webauthn] credentialList needs to be non-empty in order to call authenticatorGetAssertion

rlin1 has just created a new issue for https://github.com/w3c/webauthn:

== credentialList needs to be non-empty in order to call authenticatorGetAssertion ==
The authenticatorGetAssertion (section 5.2.2) is defined such that the authenticator handles empty "list of credentials acceptable to the RP" itself (i.e. building list of available credentials on the authenticator and asking user for disambiguation).

Our "Use existing credential get" algorithm will *never* invoke authenticatorGetAssertion without knowing the (non-empty) credentialList in advance.
At this time we allow the platform to "execute a platform-specific procedure to determine which, if any, credentials in publicKeyOptions.allowList are present on this authenticator".  But this doesn't necessarily work with roaming authenticators.

As a consequence, our current approach doesn't allow roaming authenticators (i.e. in which the platform doesn't know which credentials are related to the authenticator) *without* expecting it to be used as a second-factor (i.e. in a situation in which the RP server could already provide the credentialList).

We could modify step 13.3 in section 4.1.4 to say: 
if (there was a platform-specific procedure to determine which credentials are present on the authenticator) {
   if (credentialList is empty) then continue;
 } 
else
 {
    If C.transports is not empty, the client SHOULD select one transport from transports. Then, using transport, invoke the authenticatorGetAssertion operation on authenticator, with rpId, clientDataHash, credentialList, and authenticatorExtensions as parameters
 }

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/481 using your GitHub account

Received on Wednesday, 31 May 2017 10:27:35 UTC