W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2019

Re: [webauthn] Can't exclude U2F credentals (#1235)

From: Lucas Garron via GitHub <sysbot+gh@w3.org>
Date: Wed, 19 Jun 2019 20:15:16 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-503729738-1560975315-sysbot+gh@w3.org>
While working on webauthn support for github.com, I was thoroughly confused by this behaviour and thought I did something wrong (e.g. perhaps I [converted key handles to credential IDs](https://github.com/w3c/webauthn/issues/1229) in a way that works only for some cases).

While @emlun's scenario is somewhat contrived, I would strongly like to echo the importance of a transparent migration from U2F. We don't want users to have think about what kind of security key registration they have. It could be very confusing if a duplicate registration for the "same" key works only sometimes, especially given that it might work the "first" time but not the following times.

Or rather, it could be *misleading* instead of confusing. Experiences with debugging issues during our webauthn transition suggest that discrepancies like this can really mess with someone's mental model.

Also, I'd like to note that some major sites (e.g. google.com during initial launch) do not support naming registered authenticator keys, making it difficult to tell if a particular key is already registered.

So, we'd really like to see the webauthn support this behaviour!

-- 
GitHub Notification of comment by lgarron
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1235#issuecomment-503729738 using your GitHub account
Received on Wednesday, 19 June 2019 20:15:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:05 UTC