Re: [webauthn] providing info about authenticator availability / attachments from Emil Lundberg via GitHub on 2018-01-26 (public-webauthn@w3.org from January 2018)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 26 Jan 2018 10:28:41 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-360742628-1516962519-sysbot+gh@w3.org>

Thanks for the questions. There are two main reasons for why these pieces of information are not available. First, due to privacy considerations we have chosen to explicitly forbid clients from making it possible for an RP to silently determine what credentials the user owns. Second, the spec is written to support an asynchronous "hot-plugging" interaction flow where the user can plug in authenticator _after_ the RP calls the methods on `navigator.credentials`.

The privacy considerations are discussed in #184, #204 and #687, and in the editor's draft of the spec in [§14.2. Authentication Ceremonies][priv-cons]. In summary: providing the information you request would also give malicious RPs a reliable way to silently identify a user without consent.

The "hot-plugging" interaction flow, discussed in #613, #508 and #574, means that the client will wait for an authenticator to become available within a timeout - which could be immediately, e.g., built-in platform authenticators or an already connected USB key - and attempt to use the authenticator when it shows up. If the user denies consent, or ignores the prompt, the client will keep waiting for another authenticator to become available. Only when the timer expires does the client return a failure to the caller. Thus, there is no one instant when the client can check which authenticators are "available", because there could for instance be a USB key "available" sitting next to the computer which would only be seen by the client after the user plugs it in.

The "hot-plugging" flow also ties in with the privacy considerations, as described in [§14.2. Authentication Ceremonies][priv-cons].

What you _can_ do is use the [`isUserVerifyingPlatformAuthenticatorAvailable`][isplat] method to check for the presence of a user-verifying platform authenticator, although that will of course only work for that particular kind of authenticator.

Does this answer some of your questions?

[priv-cons]: https://w3c.github.io/webauthn/#sec-assertion-privacy
[isplat]: https://w3c.github.io/webauthn/#isUserVerifyingPlatformAuthenticatorAvailable

--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/764#issuecomment-360742628 using your GitHub account

Received on Friday, 26 January 2018 10:28:43 UTC