Re: [webauthn] Dependence on Browser state for Primary Factor login (#1356)

> If this weren't the case, RPs would be able to probe silently for the (non-)existence of a credential with a given credential ID, which is a tracking concern.

I was able to infer this restriction from the spec and appreciate it. Which is why I was attempting to suggest something slightly different.

Couldn't a UI prompt to select a registered user for the current site require a user gesture?

> If what you're interested in is login without a password, why would the user enter a username in the first place? Couldn't the site send a get() request with an empty allowList? The user would then select one of the resident credentials, and the site would be able to associate the correct user based on the response.

Unfortunately no as this still leaves the user in an error state until at least one valid credential is registered. It's also a bit of a jarring user experience for selecting a user. For our flow, platform authenticators are an upgrade after a traditional username/password login experience.

GitHub Notification of comment by ChadKillingsworth
Please view or discuss this issue at using your GitHub account

Received on Thursday, 9 January 2020 19:23:55 UTC