Re: [webauthn] Authenticators that do not recognize any handles shouldn't just be dropped on the floor

For the record, I think that consistency with CTAP2 isn't really necessary in this case. CTAP2 specifies a 1-to-1 client-to-authenticator interaction while WebAuthn specifies a 1-to-many client-to-authenticator interaction, so I think it makes sense to handle the case differently on the two levels.

>I wonder whether the browser folk are reticent to directly provide UX of this sort because of the desires for RPs to have fine-grained control over such UX [...]

Good point.

My concern with the solution proposed here is how it would interact with combinations of multiple authenticators. Multiple blinking USB dongles is one thing, and likely a minority use case, that might be a little annoying but probably quite harmless - but what about platform authenticators? If this would mean that USB dongles would light up _and_ an OS popup would appear on every authentication even if the platform authenticator isn't eligible, I suspect that might be more disorienting than helpful. All of this is speculation, though - I'd be happy to re-evaluate my position if there are any user studies (of any size) on this.

And then again there's the UX customization issue which could hurt adoption. I don't really feel qualified to tell which is the lesser evil...

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Monday, 23 April 2018 14:09:52 UTC