- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 05 Feb 2018 17:51:05 +0000
- To: public-webauthn@w3.org
Ah, I did indeed miss at least one thing: >Another issue: > >1) User registers an authenticator on their laptop. >2) User attempts to access my website on their phone. >3) I have to guess if they have a valid authenticator by issuing a `navigator.credentials.get` request. >- I can narrow my guess by storing user agent data in my database, or retaining data in the user's browser storage, but this seems fragile. This probably does require some guesswork and/or workarounds using cookies or browser storage, I think. For what it's worth, you can let your guesswork be informed by some timing information. While the API won't let you draw any definite conclusions (again, because of privacy concerns), you could probably guess that if the `credentials.get()` takes more than, say, 5-10 seconds to complete, the user probably doesn't have a registered platform authenticator on that device. If you then also know the user has no external authenticator registered, you could pop up an option to try another login method (but probably still wait for the `credentials.get()` to complete - the user could have a physical disability making the process difficult, for example). -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/764#issuecomment-363164260 using your GitHub account
Received on Monday, 5 February 2018 17:51:38 UTC