[webauthn] Dependence on Browser state for Primary Factor login (#1356)

ChadKillingsworth has just created a new issue for https://github.com/w3c/webauthn:

== Dependence on Browser state for Primary Factor login ==
I work in the financial industry and username enumeration is not permitted. That means to utilize webauthn for primary factor logins, the browser has to keep a state of whether or not the user has enabled it or not. This can be done via traditional storage mechanisms such as cookies, but I have found those to be fragile and frequently absent.

My concern is that a good portion of the anti-phishing benefit of webauthn for primary factor logins will be lost as a user will still think that a password based login flow is "normal" even though they have enabled webauthn for the primary factor.

For password credentials, the browser both stores and provides a UI for the user to select a credential to send to the server. In Chrome, it's possible to have a login without any HTML UI form elements. I'd propose a similar use case for PublicKeyCredentials. Allow the browser to prompt the user to select a username from the set of public key credentials stored on the device from which to initiate the ceremony.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356 using your GitHub account

Received on Saturday, 4 January 2020 11:51:48 UTC