Re: [webauthn] Specify authenticator attachment for authentication operation (#1267)

[IIUC](https://en.wiktionary.org/wiki/IIUC), the "If there is no credential bound to the calling RP, it will begin to search external authenticators which introduce some UIs" situation will only occur if there are no "ambient credentials" (such as cookies) identifying the user for the RP thus causing the RP to send the empty allowlist on the get() call. 

otherwise (ambient creds present), the RP knows which user, and (hopefully) knows which credentialID(s) it has for that user that is/are associated with a platform authnr(s) and sends them in the [`allowCredentials`](https://www.w3.org/TR/webauthn/#dom-publickeycredentialrequestoptions-allowcredentials) list.  

the latter case is the most common case AFAIK (?). If so, then it is not clear (to me) that we need to alter the [PublicKeyCredentialRequestOptions](https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions)  to include an explicit notion of "use the platform authnr if available even though we are not passing in an `allowCredentials` list".

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1267#issuecomment-516937150 using your GitHub account

Received on Wednesday, 31 July 2019 17:07:57 UTC