W3C home > Mailing lists > Public > public-webauthn@w3.org > December 2020

Re: [webauthn] How should website authors "get or create"? (#1533)

From: Patrick Toomey via GitHub <sysbot+gh@w3.org>
Date: Wed, 09 Dec 2020 15:08:58 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-741832443-1607526537-sysbot+gh@w3.org>
>  such that the RP does navigator.credential.get() using an empty allow list and the platform authnr can find the cred and utilize it, regardless of the browser that's being used at the time.

Another point that has been fuzzy for me...when would a site know to trigger a call to `navigator.credential.get()` unless they are tracking state to know that a user has a credential and that a call to `navigator.credential.get()` is going to be useful? But, if the site is already tracking state to know that `navigator.credential.get()` is going to be useful, then they could also be tracking state to know which registration they should trigger the flow with anyway. I know there were privacy reasons why the API decided against letting a site query on whether there is a credential for the site available. But, it seems like the net result is that you kinda have to keep track of state to know when to use the API for a given user. And, once that state is lost (i.e. cookies are cleared), the RP is in a bit of a tough spot. 

-- 
GitHub Notification of comment by ptoomey3
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1533#issuecomment-741832443 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 9 December 2020 15:08:59 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 9 December 2020 15:09:00 UTC