W3C home > Mailing lists > Public > public-webauthn@w3.org > August 2019

Re: [webauthn] Specify authenticator attachment for authentication operation (#1267)

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Sat, 10 Aug 2019 00:24:33 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-520101721-1565396672-sysbot+gh@w3.org>
It will give users the option of a external authenticator if you send
credentials that have transports like NFC or USB.

I think it is better for you to use the API to get the transports for the
credentials and then work with Google and others to optimise how the UX is
presented.

The new webAuthn API can be used with get credential as well for
credentials you don't have transports for.

Yes I have confidence that some of the remaining issues with resident
credentials ( otherwise known as credentials that work without an allow
list) will get sorted out shortly.

It sounds like you are still experimenting with flows.  While you may want
to use the platform authenticator, you may still have a better user flow by
using the allow list and not prompting the user with the credential
selector dialog.

I am happy to explore what will and won't work for you and see how to make
it better.   I just think it is premature to assume that adding that flag
for get credential without an allow list is going to work the way you are
hopeing.

Let's have a look at the flows and dialogs now without RK and what changes
once no allow list is working on Android.

John B.

On Fri, Aug 9, 2019, 5:29 PM Ki-Eun Shin <notifications@github.com> wrote:

> John, Thanks for pointing out. I basically agree with your suggestion. If
> the platform can handle the cases better, we should rely on it. I hope that
> our users do not confuse the unknown message.
>
> Regarding the specific cases, we are considering mobile web and native app
> for Android. Still, Android does not support RK. But, we expect that the RK
> is eventually supported.
> Then, as I mentioned before (cross browser and cross browser and native),
> the cases where we haven't any credential info will happen. Maybe, if there
> is no credential on the platform, the Android will prompt for external
> authenticator?
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <https://github.com/w3c/webauthn/issues/1267?email_source=notifications&email_token=AAAPQJ27AF6Z547FNE6QOILQDXOVJA5CNFSM4IIDYLYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD372FYA#issuecomment-520069856>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AAAPQJ3TRPFIIOZ2YWOXZ2LQDXOVJANCNFSM4IIDYLYA>
> .
>


-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1267#issuecomment-520101721 using your GitHub account
Received on Saturday, 10 August 2019 00:24:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:06 UTC