W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

Re: [webauthn] Authenticators that do not recognize any handles shouldn't just be dropped on the floor

From: kpaulh via GitHub <sysbot+gh@w3.org>
Date: Wed, 25 Apr 2018 02:34:55 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-384142499-1524623694-sysbot+gh@w3.org>
Sorry for going AWOL, wanted to double-check some facts with folks first before making a bunch of assertions :-)

Jeff largely has it right with regards to not wanting to do all the UX in the browser. It's also difficult to build functioning RPs if we don't respond to certain calls. 

>  If this would mean that USB dongles would light up and an OS popup would appear on every authentication even if the platform authenticator isn't eligible, I suspect that might be more disorienting than helpful.

Regarding platform authenticators, Chrome does intend to have a dialog to notify the user (and not call down to the platform authenticator, so as to prevent OS popups), after which Chrome will return to the RP.

For what it's worth, we have empirical evidence from our rollout of security keys at Google (using the cryptotoken extension) where we got lots of bug reports saying their 'keys didn't work' when in fact they weren't registered. When cryptotoken changed to make them blink, the complaints stopped (rigorous user study, right??).

-- 
GitHub Notification of comment by kpaulh
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/863#issuecomment-384142499 using your GitHub account
Received on Wednesday, 25 April 2018 02:34:58 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC