- From: Chad Killingsworth via GitHub <sysbot+gh@w3.org>
- Date: Sun, 05 Jan 2020 11:58:00 +0000
- To: public-webauthn@w3.org
Following the guidance of the spec to prevent username enumeration, our API will send back a valid PublicKeyCredentialRequestOptions response even for usernames which have not been enrolled. Calling `navigator.credentials.get` with those options where none of the allowedCredentials match still presents a UI. On Chrome the UI is an error and on Edge (not the Chromium version) it just asks the user to select any credential. <img width="449" alt="Screen Shot 2020-01-05 at 5 54 58 AM" src="https://user-images.githubusercontent.com/1247639/71779843-f3736700-2f7f-11ea-9c63-1edb0d56264a.png"> Experimentation indicates that this UI triggers anytime there are zero matching credentials in the `allowedCredentials` array. This UI flow prohibits me from beginning the webauthn ceremony for any user and requires that I know whether the user has been enrolled first. Our initial implementation uses a localstorage value to preserve state. -- GitHub Notification of comment by ChadKillingsworth Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356#issuecomment-570904943 using your GitHub account
Received on Sunday, 5 January 2020 11:58:01 UTC