Re: [webauthn] Authenticators that do not recognize any handles shouldn't just be dropped on the floor

Sorry for going AWOL, wanted to double-check some facts with folks first before making a bunch of assertions :-)

Jeff largely has it right with regards to not wanting to do all the UX in the browser. It's also difficult to build functioning RPs if we don't respond to certain calls. 

>  If this would mean that USB dongles would light up and an OS popup would appear on every authentication even if the platform authenticator isn't eligible, I suspect that might be more disorienting than helpful.

Regarding platform authenticators, Chrome does intend to have a dialog to notify the user (and not call down to the platform authenticator, so as to prevent OS popups), after which Chrome will return to the RP.

For what it's worth, we have empirical evidence from our rollout of security keys at Google (using the cryptotoken extension) where we got lots of bug reports saying their 'keys didn't work' when in fact they weren't registered. When cryptotoken changed to make them blink, the complaints stopped (rigorous user study, right??).

GitHub Notification of comment by kpaulh
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 25 April 2018 02:34:58 UTC