W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2019

Re: [webauthn] No way to verify requireResidentKey during registration step at RP side (#1060)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Thu, 17 Jan 2019 01:40:49 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-455010244-1547689248-sysbot+gh@w3.org>
@herrjemand Thanks for pointing out the related docs.
When I tried to test requrieResident key feature with Edge and Windows Hello (PIN), I can create the key with default value (false) and the generated key can be used in username-less flow (empty _allowCredentials_). 
So, I am thinking that browsers do not filter out the authenticator that only supports _RK_ when _requireResidentKey_ is false and the authenticator maintains the credential in the client side.
So, for supporting this, RP should set _requireResidentKey_ is true for the creation and handle error than try with _requireResidenKey_ as false. This is very bad UX for the user and it is hard to handle.
If RP wants support various scenarios (username-less, first-factor, second-factor and etc) depending on the authenticator types, it is better for RP to get the authenticator types (rk, uv, up and etc) during the registration process.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1060#issuecomment-455010244 using your GitHub account
Received on Thursday, 17 January 2019 01:40:50 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:36 UTC