- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 28 Mar 2018 18:09:42 +0000
- To: public-webauthn@w3.org
Do we envision tweaking the API for this? In that case, perhaps it could be solved by adding a (non-signed) `AuthenticatorAttachment` attribute to `PublicKeyCredentialDescriptor` and `AuthenticatorAttestationResponse`? That would require no changes to CTAP or authenticators. Then the client could detect if `allowCredentials` lists only platform credentials of which none is available, although that on its own wouldn't be enough to determine whether a credential has disappeared from the current device. I think we also need to be careful with what kind of error to throw in that case. As we've discussed before, returning an error immediately could leak identifying information. On the other hand I think that showing an immediate browser popup informing the user, without immediately resolving the promise, shouldn't be an issue. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/851#issuecomment-376982715 using your GitHub account
Received on Wednesday, 28 March 2018 18:09:50 UTC