Re: [webauthn] navigator.credentials.get() option to suppress chrome UI popup if allowCredentials is not present in the authenticator (#1251) from Emil Lundberg via GitHub on 2019-07-02 (public-webauthn@w3.org from July 2019)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 02 Jul 2019 08:25:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-507574914-1562055914-sysbot+gh@w3.org>

Sorry, returning a specific error for this case is unfortunately not an option, because that would enable malicious RPs to use WebAuthn credentials to identify users without consent. See [§13.6. Authentication Ceremony Privacy](https://w3c.github.io/webauthn/#sctn-assertion-privacy). The UI popup is necessary so that the RP cannot use timing information to determine if the browser canceled the ceremony because no credential is available, or if the user canceled the popup asking whether to proceed. The alternative would be to always wait for the timeout before returning a `NotAllowedError`, which would be even worse UX.

This feature request is incompatible with the [de-anonymization prevention measures](https://w3c.github.io/webauthn/#sctn-non-correlatable-credentials) in WebAuthn; I propose closing the issue.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1251#issuecomment-507574914 using your GitHub account

Received on Tuesday, 2 July 2019 08:25:17 UTC