Re: [webauthn] Platform authenticators and key stores

The RP will indeed get an ambiguous `NotAllowedError`, but that doesn't mean the RP can't show some kind of "Something wrong?" page. Just like many password forms provide a "Forgot password?" link on failed attempts, the RP can show a page to the effect of "Lost security key?" and other likely causes for the `NotAllowedError`. If the RP knows it's sent an `allowCredentials` of only platform credentials, it can make use of that information as well in trying to diagnose the problem (for example, showing the "Something wrong?" if the ceremony takes more than, say, 5 seconds, even if the actual timeout is much longer).

For example, Google's current U2F login currently shows a prominent "Having trouble?" button while waiting for the user to use their U2F key. Clicking the button allows the user to retry or try a different login method, and timeout and failure also sends the user to this same view. I think this kind of approach is very applicable to WebAuthn as well, for both platform and roaming credentials.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Monday, 26 March 2018 11:17:09 UTC