Re: [webauthn] Dependence on Browser state for Primary Factor login (#1356)

Just to make sure we are talking about the same thing:

1. I do split the username to a separate step to allow for a check for authn support first.
2. I see usb keys and other cross platform authenticators as a 2nd factor authentication only. 
3. I use platform authenticators as a first factor authentication only after a traditional authentication with username, password followed by a 2nd factor auth of some sort has fully authenticated the user. Subsequent authentication can then use webauthn platform authentication as the the only factor.

The problem comes that I can't automatically test for the webauthn flow without some upfront knowledge. I could have a separate button on the username form and let the user decide, but I see that as requiring a huge amount of user education and I do not believe it will have substantial impact on phishing. 

With these current restrictions I just don't see webauthn being usable for primary factor authentication unless username enumeration is permissible.

GitHub Notification of comment by ChadKillingsworth
Please view or discuss this issue at using your GitHub account

Received on Saturday, 25 January 2020 15:24:38 UTC