W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

Re: [webauthn] Authenticators that do not recognize any handles shouldn't just be dropped on the floor

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Mon, 23 Apr 2018 14:09:45 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-383588683-1524492584-sysbot+gh@w3.org>
For the record, I think that consistency with CTAP2 isn't really necessary in this case. CTAP2 specifies a 1-to-1 client-to-authenticator interaction while WebAuthn specifies a 1-to-many client-to-authenticator interaction, so I think it makes sense to handle the case differently on the two levels.

>I wonder whether the browser folk are reticent to directly provide UX of this sort because of the desires for RPs to have fine-grained control over such UX [...]

Good point.

My concern with the solution proposed here is how it would interact with combinations of multiple authenticators. Multiple blinking USB dongles is one thing, and likely a minority use case, that might be a little annoying but probably quite harmless - but what about platform authenticators? If this would mean that USB dongles would light up _and_ an OS popup would appear on every authentication even if the platform authenticator isn't eligible, I suspect that might be more disorienting than helpful. All of this is speculation, though - I'd be happy to re-evaluate my position if there are any user studies (of any size) on this.

And then again there's the UX customization issue which could hurt adoption. I don't really feel qualified to tell which is the lesser evil...

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/863#issuecomment-383588683 using your GitHub account
Received on Monday, 23 April 2018 14:09:52 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC