W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2019

Re: [webauthn] Specify authenticator attachment for authentication operation (#1267)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Fri, 09 Aug 2019 21:14:02 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-520065542-1565385240-sysbot+gh@w3.org>
Again there is a way to provide the attachment modes for a given
authenticator.

In WebAuthn level 2 there is a API way to get the attachment of a given
credential even if you are not getting a attestation.

There are good reasons for getting attestations bit that is another
discussion.

Given the only mobile OS with a platform authenticator is Android and that
is still a bit broken for Resident credentials you can't be doing a get
credential without an allow list, so can send the attachment for the
credentialID.

So what is it that you think you don't like or won't work?

Let's talk specifically about Android. Is it the browser UI or calling the
WebAuthn API from an app that is your issue?

I think your goal is probably to have the platform authenticator that is in
GMS work well for you.

We should focus on that rater than jumping to the conclusion that an extra
RP parameter is the best option.

John B.

On Fri, Aug 9, 2019, 4:53 PM Ki-Eun Shin <notifications@github.com> wrote:

> @arshadnoor <https://github.com/arshadnoor> do you think I was asking
> customizing the spec for our own use cases?
> We are willing to support universal authentications if there is and we are
> going to try to make that one.
> This is just real problems for RPs having mobile based users. We cannot
> say to our users to buy external authenticators and we cannot explain what
> FIDO2/WebAuthn is in a very limited small screen. If they have external
> ones, they can use it. And, we are going to support them.
>
> And, this issue is basically raised because of the adoption challenges and
> the technical soundness.
> Current spec does have a way for RP to set authenticator attachment during
> registration but there is not for authentication.
> Still, RP can allow platform only, external authenticators only or both.
> If we are saying about the ecosystem and disallow such RPs' specific
> approaches (In fact, I don't agree), we should not provide such option for
> registration as well.
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <https://github.com/w3c/webauthn/issues/1267?email_source=notifications&email_token=AAAPQJY5HIVFZ4JQPLIHCQLQDXKL3A5CNFSM4IIDYLYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD37XYHQ#issuecomment-520059934>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AAAPQJ2HN5YZ7TE37JU2LVDQDXKL3ANCNFSM4IIDYLYA>
> .
>


-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1267#issuecomment-520065542 using your GitHub account
Received on Friday, 9 August 2019 21:14:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC