Re: [webauthn] Dependence on Browser state for Primary Factor login (#1356)

If that's the case, then I expect adoption to suffer. I'll always have to present both login options simultaneously and a non-technical user will stick with what is familiar. The password based flow will be considered normal and we're back to the loss of phishing protection.

On native applications, it's typical for the app to know that the user has registered for biometric authentication (webauthn platform authenticators) and start the verification flow on the user's behalf automatically. I strongly feel that same flow should be the goal of webauthn primary factor - and in fact the spec does support it as _long_ as the user agent knows whether to begin the ceremony for a particular username first. 

In short - I think not considering this exact use case is a failing of the spec. Is there a way to add this use case?

GitHub Notification of comment by ChadKillingsworth
Please view or discuss this issue at using your GitHub account

Received on Thursday, 16 January 2020 14:08:33 UTC