W3C home > Mailing lists > Public > public-webauthn@w3.org > January 2020

Re: [webauthn] Dependence on Browser state for Primary Factor login (#1356)

From: Chad Killingsworth via GitHub <sysbot+gh@w3.org>
Date: Thu, 16 Jan 2020 14:08:31 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-575167290-1579183710-sysbot+gh@w3.org>
If that's the case, then I expect adoption to suffer. I'll always have to present both login options simultaneously and a non-technical user will stick with what is familiar. The password based flow will be considered normal and we're back to the loss of phishing protection.

On native applications, it's typical for the app to know that the user has registered for biometric authentication (webauthn platform authenticators) and start the verification flow on the user's behalf automatically. I strongly feel that same flow should be the goal of webauthn primary factor - and in fact the spec does support it as _long_ as the user agent knows whether to begin the ceremony for a particular username first. 

In short - I think not considering this exact use case is a failing of the spec. Is there a way to add this use case?

GitHub Notification of comment by ChadKillingsworth
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1356#issuecomment-575167290 using your GitHub account
Received on Thursday, 16 January 2020 14:08:33 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:38:37 UTC