[webauthn] RPs cannot show "You've Already Registered This Authenticator" Message from Alexei Czeskis via GitHub on 2018-02-16 (public-webauthn@w3.org from February 2018)

From: Alexei Czeskis via GitHub <sysbot+gh@w3.org>
Date: Fri, 16 Feb 2018 19:28:36 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-297894672-1518809315-sysbot+gh@w3.org>

leshi has just created a new issue for https://github.com/w3c/webauthn:

== RPs cannot show "You've Already Registered This Authenticator" Message ==
Many RPs prevent users from registering the same Authenticator twice. RPs use specifying the already known credentials in the `excludeCredentials` during the `create()` call, which then gets passed down into `authenticatorMakeCredential` in the `excludeCredentialDescriptorList`. Authenticators "should not create a new credential" if they recognize a credential that they have previously minted.

In reading 6.2.2, step 3.1, when the authenticator discovers that it owns one of the excluded credentials, the authenticator replies with a `NotAllowedError`:

> If looking up descriptor.id in this authenticator returns non-null, and the returned item's RP ID and type match rpEntity.id and excludeCredentialDescriptorList.type respectively, then return an error code equivalent to "NotAllowedError" and terminate the operation.

This error is then propagated to the RP by the client. In looking at step 5.1.3 step 21, we see:

> Return a DOMException whose name is "NotAllowedError". In order to prevent information leak that could identify the user without consent, this step MUST NOT be executed before lifetimeTimer has expired. See §14.2 Registration and Authentication Ceremonies Privacy for details.

As written, the spec has two problems:

1. The generic "NotAllowedError" is shared between lots of different error situations. This does not allow the RP to show a meaningful message to the user. Note that Google and Github (and probably many other RPs that use U2F) already give users meaningful messagers in these cases:
![github](https://user-images.githubusercontent.com/1407369/36325278-26c5d512-130c-11e8-84fb-9a3190478f68.png)
![google](https://user-images.githubusercontent.com/1407369/36325334-5c0aae1e-130c-11e8-9a1a-0159d123538f.png)

2. The lifetimeTimer will prevent this error from being responsive. Users will touch their Security Key and then stare into blank space until the timer expires.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/806 using your GitHub account

Received on Friday, 16 February 2018 19:28:38 UTC