Re: [webauthn] Dependence on Browser state for Primary Factor login (#1356)

(This was discussed on the call of 2020-01-22.)

A browser can't be sure whether a 1st-factor flow is suitable for a given website because users might be authenticating with, for example, a USB token that they insert.

In current designs, users register security keys as an additional layer of security and, after that point, they are _required_ for that account to be authenticated, so fallback to passwords alone isn't permitted. (Some sites split the username entry out into a separate step so that they can better guide the authentication based on the exact account that's logging in.)

I get that you would like a button that triggers a WebAuthn login if it'll work, and immediately fails if not. But I don't believe that we can provide that given privacy concerns and given that the platform doesn't know what authenticators a user might insert.

Overall, the decision on the call was that we don't see an action here, I'm afraid.

GitHub Notification of comment by agl
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 22 January 2020 21:55:27 UTC