Re: [webauthn] Authenticators that do not recognize any handles shouldn't just be dropped on the floor

So, to be honest, today, there's no good way in WebAuthn for an RP to indicate that they "definitely only want to deal with platform authenticators" when doing a "get" (or sign). I believe this might be a bit of a drawback for RPs who really don't want to bother users with external devices, but let's plan on discussing that in more detail in Amsterdam.

Let's assume for a moment the RP has a way to say "I definitely want a platform authenticator" and say so. In that case, Chrome will present a dialog to the user saying "there are no keys here" and then will notify the RP upon dismissal of the box.

If the RP doesn't specify a preference (or says that the key might explicitly be on a roaming authenticator) I think we should tell the user to insert a key. 
a) If they happen to insert a key on which the credential resides and touches it: SUCCESS
b) If they happen to insert a key on which the credential doesn't reside: Make it blink. And when the user touches it, tell the RP the credential isn't here.

If the user is confused by the dialog and closes it, tell the RP that there's no credential here.

Does that make sense?

GitHub Notification of comment by christiaanbrand
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 25 April 2018 21:09:53 UTC