[webauthn] Allow hot-plugged authenticators? from Emil Lundberg via GitHub on 2017-10-05 (public-webauthn@w3.org from October 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Thu, 05 Oct 2017 11:53:47 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-263097536-1507204413-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Allow hot-plugged authenticators? ==
In discussing the Firefox implementation with @jcjones we discovered a wrinkle in the `create()` and `get()` ceremonies: Hot-plugged authenticators - yes or no?

Currently, [§4.1.3. Create a new credential][make-cred] and [§4.1.4. Use an existing credential to make an assertion][assert] both specify their procedure on the form

 1. Prepare authenticator arguments
 2. Let `currentlyAvailableAuthenticators` be a new ordered set consisting of all authenticators currently available on this platform.
 3. Send command to each element of `currentlyAvailableAuthenticators`
 4. Wait for success or timeout

This seems to imply that hot-plugging is not supported - that authenticators that become available after (2) but before (4) must be ignored. However there are multiple benefits to allowing hot-plugging:

- This is how the U2F implementations in Chrome and Firefox work, so users are accustomed to it.
- Relaxing the order of events makes for a much smoother user experience.
- It simplifies use of the JS API by making it less stateful. Without it the only way for the caller to ensure that the authenticator is ready, before calling `create()` or `get()`, is to prompt the user to ready the authenticator (i.e. plug it in) and then manually confirm this (i.e. press the "Next" button).
- The language "currently available" becomes very vague in the context of NFC, as the authenticator is necessarily "plugged in" _after_ the call to `create()` or `get()`.

The main caveat is that a call to `create()` or `get()` whose `excludeCredentials` or `allowCredentials` exclude all currently available authenticators would also wait for the timeout, which may not always be wanted. But on the other hand, the vast majority of users will probably only have one authenticator anyway.

I can draft a suggestion for this if it sounds like a good idea.

[make-cred]: https://w3c.github.io/webauthn/#createCredential
[assert]: https://w3c.github.io/webauthn/#getAssertion

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/613 using your GitHub account

Received on Thursday, 5 October 2017 11:53:36 UTC