[webauthn] Personal information updates & webauthn (#1456)

nsatragno has just created a new issue for https://github.com/w3c/webauthn:

== Personal information updates & webauthn ==
This mirrors [issue 914](https://github.com/fido-alliance/fido-2-specs/issues/914) on FIDO.

At the moment, there is no straightforward way to update a user's personal information (`name` and `displayName`) associated to a credential. If a user wants to do it, they have to:

* If the credential is discoverable:
  * Have the relying party register a new credential using the same user handle.
  Note that this requires an implementation from the relying party to always use the same user handle for the same user. I expect many implementations to simply generate a random user handle for each credential and associate that to their actual user identity.
* If the credential is not discoverable:
  * Have the relying party register a new credential.
  * Have the relying party remove the old credential.

This situation is pretty bad. Users and relying parties might not even be aware of this issue, and it is easy to imagine an account picker with an old name appearing during log-in long after the user has updated their identity to the website.


To make this situation better, I propose the following check-list of changes:

* **Add a `authenticatorUpdateCredential` operation on the authenticator model** that allows updating `displayName`, `name`, and any other mutable metadata associated to the user the credential belongs to.
* **For [stateless credentials](https://w3c.github.io/webauthn/#credential-id), disallow packing `otherUI` into the credential ID.** `otherUI` might include mutable information such as the user's name. Credential IDs are meant to be immutable and I also see no reason for packing that information anyway since it doesn't seem to be surfaced later.
* **Add a section under [Relying Party Operations](https://w3c.github.io/webauthn/#sctn-rp-operations) detailing the process to update the user information (at the moment it would be a description of the steps above... but maybe we can do better).**
* **Provide a better way to update the personal information without user action**. One way I can think of is adding a `credentials.get` extension that specifies the new values for `displayName` / `name` for each credential on the allow-list. This would be fairly straightforward to implement but unfortunately wouldn't work for empty allow-lists. Perhaps if the RP uses empty allow-lists, then they could have their users go through a webauthn flow as part of the personal information update.
 A much more complex idea for platforms but probably better for users would be to provide a hook between returning a credential ID and finishing the webauthn request. Websites would be able to use this hook to query their back-end for personal information updates and have the browsers update that before finishing the request.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1456 using your GitHub account

Received on Friday, 17 July 2020 17:28:55 UTC