Re: [webauthn] Include an AuthenticatorTransport when creating a new credential.

There is no such thing as passing "platform" and "cross platform" during signature. It will be passed as part of the transport as "internal" and "caBLE" for example. I guess this is what you mean?

If that's the case, the platform will by default, try to solve the request with the built-in authenticator first (since that allows for the best UX), if there's no credential there, it will then show the dialog to plug in an external authenticator.
If there *is* an internal credential, it's up to the platform to decide if it wants to allow the user to cancel out of using that one, and rather insert an external token, although I struggle to really see the use case there.

However, I think I now also understand what Akshay was alluding to on the call today:
What if we send down a Sign request to the user-agent with an empty list of credentialIds. It's still conceivable that the RP would want to express some preference over whether to allow this request to be satisfied by a local authenticator vs a roaming authenticator. I think this is a corner case though (if I already have a platform authenticator the RP should *usually* be able to have a hint to it from a cookie or something), and I would expect an RP who supports the "typeless flow" to be equally happy with a built-in (chances of getting a hit there is slim) OR an external authenticator (this is mostly where the credential will be during bootstrapping, so maybe this use case isn't that important.



-- 
GitHub Notification of comment by christiaanbrand
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/882#issuecomment-386148760 using your GitHub account

Received on Wednesday, 2 May 2018 23:08:54 UTC