W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2020

Re: [webauthn] Dependence on Browser state for Primary Factor login (#1356)

From: Chad Killingsworth via GitHub <sysbot+gh@w3.org>
Date: Thu, 09 Jan 2020 19:23:53 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-572714647-1578597832-sysbot+gh@w3.org>
> If this weren't the case, RPs would be able to probe silently for the (non-)existence of a credential with a given credential ID, which is a tracking concern.

I was able to infer this restriction from the spec and appreciate it. Which is why I was attempting to suggest something slightly different.

Couldn't a UI prompt to select a registered user for the current site require a user gesture?

> If what you're interested in is login without a password, why would the user enter a username in the first place? Couldn't the site send a get() request with an empty allowList? The user would then select one of the resident credentials, and the site would be able to associate the correct user based on the response.

Unfortunately no as this still leaves the user in an error state until at least one valid credential is registered. It's also a bit of a jarring user experience for selecting a user. For our flow, platform authenticators are an upgrade after a traditional username/password login experience.

GitHub Notification of comment by ChadKillingsworth
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356#issuecomment-572714647 using your GitHub account
Received on Thursday, 9 January 2020 19:23:55 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:37 UTC