Re: [webauthn] What is the point of `allowCredentials`?

@subyraman Your understanding of the spec is correct, in addition to what @herrjemand points out.

What the Chrome team is pointing out is that they want to allow the RP to detect if the user attempts to authenticate with an authenticator that does not have one of the allowed credentials, so the RP can inform the user that they need to use a different authenticator. In order to do that, they need the user to first confirm the attempt to authenticate - otherwise there's no way to know that the user won't plug in a different authenticator a few seconds into the future. I'm guessing this could be solved better by instad showing a browser popup when the user plugs in an authenticator without any of the `allowCredentials`, rather than returning an error to the RP. I added a comment on that to the Chrome thread too.

This issue stands in opposition to #863.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Friday, 13 April 2018 17:07:32 UTC