Re: [webauthn] providing info about authenticator availability / attachments

So if I understand you correctly, your main concerns here are:

 1. As a RP, how do I detect if the user has an authenticator they haven't registered with me, so I can ask them if they want to register it?
 2. As a RP, how can I guide the user through the registration process?

Here are my thoughts on (1) in a few scenarios:

- **Scenario 1: The user has an external authenticator.**

  In this case there's no way for the browser to know about the authenticator while it's sitting in the user's pocket. On the other hand, since the user has aquired an external authenticator they likely know that they can use it, and is likely to actively seek out a way to register it.

  Another idea is to ask the user if they want to register an external authenticator if they don't have one registered when they register a platform credential (useful as a backup or for "blessing" other platform authenticators, i.e., for the first login on a new client). The RP can tell whether or not a credential belongs to a platform authenticator by using the [`authenticatorAttachment`][auth-attach] option when registering the credential, and recording this along with the credential registration.

- **Scenario 2: The user has a platform authenticator, and has no platform authenticator registered with the RP.**

  The user may not even be aware that they have a WebAuthn authenticator. It's even possible that a smartphone or laptop could silently _become_ a WebAuthn authenticator in a software update.

  In this case the RP can use the `isUserVerifyingPlatformAuthenticatorAvailable` method to detect the authenticator. Since the user has no platform authenticator registered, the RP knows this one is not registered and can ask the user if they want to register the authenticator.

- **Scenario 3: The user has a platform authenticator, and already has a platform authenticator registered.**

  This is the problematic case, but let's divide it into sub-scenarios depending on how the user logged in. If the user "logged in" automatically via a session cookie or the like, that session ticket could include a flag indicating which of these subscenarios the initial login was in.

  - **Subscenario A: The user logged in without using a WebAuthn credential.**

    The user may have used some other 2FA method, or doesn't have 2FA enabled.

    In this case, the platform authenticator is likely not registered - otherwise the user would probably have used it.

    Note that this assumes the RP lists all of the user's registered credentials in the [`allowCredentials`][allowCredentials] option, in which case the user is free to choose to use any that's available and conveient.

  - **Subscenario B: The user logged in using an external authenticator.**

    Again, the platform authenticator is likely not registered - otherwise the user would probably have used it - so it should be safe to ask. However the user _may_ have actively chosen to not use the platform authenticator for some reason (personal preference, company policy etc), so including a "No, don't ask again" option would probably be welcome.

  - **Subscenario C: The user logged in using a platform authenticator.**

    In this case, this platform authenticator must already be registered, so there's no need to ask.

I didn't expect this when I started writing the above, but it actually looks like this isn't that big an issue after all! Let me know if I overlooked something in my musings above.

Question (2) is a harder one, I think. Hopefully the browsers will do something to help with this, but what and how is currently outside the spec. If all else fails, I guess you could work around it by asking the user what kind of authenticator(s) they want to use.

What do you think about that?

[auth-attach]: https://w3c.github.io/webauthn/#dom-authenticatorselectioncriteria-authenticatorattachment
[allowCredentials]: https://w3c.github.io/webauthn/#dom-publickeycredentialrequestoptions-allowcredentials

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/764#issuecomment-363157016 using your GitHub account

Received on Monday, 5 February 2018 17:26:48 UTC