W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2020

Re: [webauthn] Dependence on Browser state for Primary Factor login (#1356)

From: Chad Killingsworth via GitHub <sysbot+gh@w3.org>
Date: Sun, 05 Jan 2020 11:58:00 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-570904943-1578225479-sysbot+gh@w3.org>
Following the guidance of the spec to prevent username enumeration, our API will send back a valid PublicKeyCredentialRequestOptions response even for usernames which have not been enrolled. Calling `navigator.credentials.get` with those options where none of the allowedCredentials match still presents a UI. On Chrome the UI is an error and on Edge (not the Chromium version) it just asks the user to select any credential.

<img width="449" alt="Screen Shot 2020-01-05 at 5 54 58 AM" src="https://user-images.githubusercontent.com/1247639/71779843-f3736700-2f7f-11ea-9c63-1edb0d56264a.png">

Experimentation indicates that this UI triggers anytime there are zero matching credentials in the `allowedCredentials` array.

This UI flow prohibits me from beginning the webauthn ceremony for any user and requires that I know whether the user has been enrolled first.  Our initial implementation uses a localstorage value to preserve state.

-- 
GitHub Notification of comment by ChadKillingsworth
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356#issuecomment-570904943 using your GitHub account
Received on Sunday, 5 January 2020 11:58:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:10 UTC