W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2019

Re: [webauthn] No way to verify requireResidentKey during registration step at RP side (#1060)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Thu, 17 Jan 2019 01:40:49 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-455010244-1547689248-sysbot+gh@w3.org>
@herrjemand Thanks for pointing out the related docs.
When I tried to test requrieResident key feature with Edge and Windows Hello (PIN), I can create the key with default value (false) and the generated key can be used in username-less flow (empty _allowCredentials_). 
So, I am thinking that browsers do not filter out the authenticator that only supports _RK_ when _requireResidentKey_ is false and the authenticator maintains the credential in the client side.
So, for supporting this, RP should set _requireResidentKey_ is true for the creation and handle error than try with _requireResidenKey_ as false. This is very bad UX for the user and it is hard to handle.
If RP wants support various scenarios (username-less, first-factor, second-factor and etc) depending on the authenticator types, it is better for RP to get the authenticator types (rk, uv, up and etc) during the registration process.

GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1060#issuecomment-455010244 using your GitHub account
Received on Thursday, 17 January 2019 01:40:50 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:36 UTC