W3C home > Mailing lists > Public > public-webauthn@w3.org > November 2020

[webauthn] Making PublicKeyCredentialDescriptor.transports mandatory (#1522)

From: Arshad Noor via GitHub <sysbot+gh@w3.org>
Date: Tue, 17 Nov 2020 13:54:05 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-744757690-1605621243-sysbot+gh@w3.org>
arshadnoor has just created a new issue for https://github.com/w3c/webauthn:

== Making PublicKeyCredentialDescriptor.transports mandatory ==
When John Doe registers a new key with an RP, using a platform authenticator on a computing device, his newly generated private key is bound to that platform authenticator on that computing device. Clearly, when he attempts to authenticate to the RP site from _another_ computing device, he is not going to succeed.

The [_transports_](https://www.w3.org/TR/webauthn-2/#enum-transport) member of PublicKeyCredentialDescriptor, has the ability to signal the RP that the registered key was generated from an **_internal_** authenticator (as opposed to one using transport protocols of external authenticators, namely: _usb,_ _nfc_ or _ble_).

Since _transports_ is currently OPTIONAL, it prevents the RP from properly signaling John Doe in the use-case defined above: that, in order to authenticate with his FIDO key to the RP site, he must use the original computing device - or use an alternate method to login into the RP's site.

Secondly, if the RP knew that John Doe has a second registered credential, whose _transports_ identified one of _usb_, _nfc_ or _ble_, it would also allow the RP to suggest he use that external authenticator to login to the RP site. But since _transports_ is currently optional, this information is not consistently available to the RP.

It is recommended to make _transports_ mandatory, have RPs store them on the FIDO server, and use that information within their applications to present messages that provide a better user experience.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1522 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 17 November 2020 13:54:06 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 17 November 2020 13:54:07 UTC