[webauthn] Is it possible to fail the registration ceremony if a certain extension is not present? (#1487) from Arian van Putten via GitHub on 2020-09-28 (public-webauthn@w3.org from September 2020)

From: Arian van Putten via GitHub <sysbot+gh@w3.org>
Date: Mon, 28 Sep 2020 13:36:41 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-710271991-1601300199-sysbot+gh@w3.org>

arianvp has just created a new issue for https://github.com/w3c/webauthn:

== Is it possible to fail the registration ceremony if a certain extension is not present? ==
I know we're wary of feature detection without prompting user presence for privacy reasons.

However, I'm in a bit of an annoying situation, and I think it should be solveable without compromising privacy. I was wondering if it's possbile with the current spec but I couldn't figure out why.

My usecase: I'm building a cloud password manager; on top of the `prf` extension; which I want to use to derive a local key for encryption. This means I do not want people to register with credentials that do not support the extension. I'm also relying on resident credentials for the user to get prompted what authenticator to use.

I want to figure out if people actually have this extension.
Problem now is I set `{prf: true}` in the `create` call; but I can only find out if the authenticator supports the extension I want _after_ registration is complete. At which point it is too late. I'd like the registration ceremony to _fail_ if the extension is not there, such that the credential doesn't show up in the resident credential menu later when authenticating.

Then I found out about the `exts` extension; which should allow for discovering what extensions are supported. But again this doesn't really help as you discover what extensions are present _after_ the credential is created.

Is there any way to _assert_ that certain credentials are present, without polluting the resident credential slots on the authenticator? (which might lead to a lot of user confusion "Why do I have 10 accounts named the same way in my chrome settings tab?")

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1487 using your GitHub account

--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 28 September 2020 13:36:43 UTC