W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2017

Re: [webauthn] Authenticator session not possible for BLE

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 17 Oct 2017 14:54:52 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-337258767-1508252091-sysbot+gh@w3.org>
Those are all very good points. On second thought I also think my concern about a confusing user experience is a minor one - the majority of users will likely have only one authenticator, or use only one at a time, so it shouldn't be too big an issue in practice. After all, I haven't heard about anyone complaining about this regarding U2F; I've only thought about it myself while testing interop with 3-4 authenticators plugged in.

Failing both requests in case if collision does seem very sound. I'm starting to think that's preferable to the options I described above, and that perhaps it's not actually a bad thing if the cancel operation cancels everything regardless of where the requests originated. As you say, it's probably better to err on the side if caution and prefer failing requests rather than risking that the user unwittingly authorizes unintended requests.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/649#issuecomment-337258767 using your GitHub account
Received on Tuesday, 17 October 2017 14:54:55 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:28 UTC