Re: [webauthn] Platform authenticators and key stores

Do we envision tweaking the API for this? In that case, perhaps it could be solved by adding a (non-signed) `AuthenticatorAttachment` attribute to `PublicKeyCredentialDescriptor` and `AuthenticatorAttestationResponse`? That would require no changes to CTAP or authenticators. Then the client could detect if `allowCredentials` lists only platform credentials of which none is available, although that on its own wouldn't be enough to determine whether a credential has disappeared from the current device.

I think we also need to be careful with what kind of error to throw in that case. As we've discussed before, returning an error immediately could leak identifying information. On the other hand I think that showing an immediate browser popup informing the user, without immediately resolving the promise, shouldn't be an issue.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 28 March 2018 18:09:50 UTC