[webauthn] providing info about authenticator availability / attachments from Suby Raman via GitHub on 2018-01-25 (public-webauthn@w3.org from January 2018)

From: Suby Raman via GitHub <sysbot+gh@w3.org>
Date: Thu, 25 Jan 2018 20:45:13 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-291709709-1516913112-sysbot+gh@w3.org>

subyraman has just created a new issue for https://github.com/w3c/webauthn:

== providing info about authenticator availability / attachments ==
Apologies if some of these usability issues have been answered already. In trying to develop with the spec I'm feeling that it doesn't provide granular information that would be very useful for providing users with an easy authentication workflow. There seems to be no information around:

- if authenticators are available for registration
- if those authenticators are enrolled with the relying party

Android, for example, has `FingerprintManager` for providing this information, with `fingerprintManager.isHardwareDetected()`, `fingerprintManager.hasEnrolledFingerprints()`, it has `KeyguardManager` for determining if a PIN/pattern/password is available, etc.

There are a few usability issues I've run into:

- User has multiple authenticators on a laptop.
- During a `navigator.credentials.create` request, all authenticators are notified and request the user's attention. Windows Hello will pop up a modal, a Yubikey flashes, maybe a soft token pops up a notification as well.
- The user is confused, and because I can't request a specific authenticator to register, I cannot help guide them through the process.

The spec mentions that relying parties can discover credentials [using optional criteria,](https://w3c.github.io/webauthn/#getAssertion) but I don't know ahead of time what criteria to request.

Another issue:

1) User registers an authenticator on their laptop.
2) User attempts to access my website on their phone.
3) I have to guess if they have a valid authenticator by issuing a `navigator.credentials.get` request.
- I can narrow my guess by storing user agent data in my database, or retaining data in the user's browser storage, but this seems fragile.

What would be great is if devs get more granular information about authenticators; their availability, their enrollment status, etc. Something like:

`navigator.credentials.isAuthenticatorAvailable() -> Boolean`

or more specifically:

`navigator.credentials.getAvailableAuthenticatorAttachments() -> AuthenticatorAttachment[]`
`navigator.credentials.hasEnrolledAuthenticator(credentialID) -> Boolean`

Any thoughts around this would be welcomed.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/764 using your GitHub account

Received on Thursday, 25 January 2018 20:45:16 UTC