W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2019

Re: [webauthn] Can't exclude U2F credentals (#1235)

From: Bart via GitHub <sysbot+gh@w3.org>
Date: Sun, 16 Jun 2019 16:28:39 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-502466504-1560702518-sysbot+gh@w3.org>
From an RP perspective: the user doesn't care much about, and probably doesn't even know, the difference between how their authenticator was registered. Ideally a migration is completely transparent to them and their U2F-registered credential should word just the same when the RP switches to WebAuthn (although some changes in browser UX may not be unavoidable, e.g. Chrome). 

Double registration can be prevented in both U2F and WebAuthn, but in this migration scenario it breaks down and can cause confusion. It would be nice if this area was also fully backwards compatible/"just works".

> I believe if both are present in allowCredentials the WebAuthn credential would probably override the U2F one, judging by how the appid extension client processing is written.

Based on some quick testing, Firefox 67 behaves this way. Chrome 74 seems to pick the first offered credential in `allowCredentials`, but this may be due to the AppID extension [not working for me](https://github.com/cedarcode/webauthn-ruby/pull/211#issuecomment-502410456) in Chrome and Safari.

GitHub Notification of comment by bdewater
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1235#issuecomment-502466504 using your GitHub account
Received on Sunday, 16 June 2019 16:28:41 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:37 UTC