Re: [webauthn] How should website authors "get or create"? (#1533)

>  such that the RP does navigator.credential.get() using an empty allow list and the platform authnr can find the cred and utilize it, regardless of the browser that's being used at the time.

Another point that has been fuzzy for me...when would a site know to trigger a call to `navigator.credential.get()` unless they are tracking state to know that a user has a credential and that a call to `navigator.credential.get()` is going to be useful? But, if the site is already tracking state to know that `navigator.credential.get()` is going to be useful, then they could also be tracking state to know which registration they should trigger the flow with anyway. I know there were privacy reasons why the API decided against letting a site query on whether there is a credential for the site available. But, it seems like the net result is that you kinda have to keep track of state to know when to use the API for a given user. And, once that state is lost (i.e. cookies are cleared), the RP is in a bit of a tough spot. 

GitHub Notification of comment by ptoomey3
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 9 December 2020 15:08:59 UTC