W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

Re: [webauthn] What is the point of `allowCredentials`?

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 13 Apr 2018 17:07:30 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-381200701-1523639249-sysbot+gh@w3.org>
@subyraman Your understanding of the spec is correct, in addition to what @herrjemand points out.

What the Chrome team is pointing out is that they want to allow the RP to detect if the user attempts to authenticate with an authenticator that does not have one of the allowed credentials, so the RP can inform the user that they need to use a different authenticator. In order to do that, they need the user to first confirm the attempt to authenticate - otherwise there's no way to know that the user won't plug in a different authenticator a few seconds into the future. I'm guessing this could be solved better by instad showing a browser popup when the user plugs in an authenticator without any of the `allowCredentials`, rather than returning an error to the RP. I added a comment on that to the Chrome thread too.

This issue stands in opposition to #863.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/867#issuecomment-381200701 using your GitHub account
Received on Friday, 13 April 2018 17:07:32 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC