Re: [webauthn] Prevent browsers from deleting credentials that the RP wanted to be server-side (#1569) from Lucas Garron via GitHub on 2021-04-15 (public-webauthn@w3.org from April 2021)

From: Lucas Garron via GitHub <sysbot+gh@w3.org>
Date: Thu, 15 Apr 2021 02:54:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-820019460-1618455240-sysbot+gh@w3.org>

> @lgarron What is the User Story you're trying to engineer a solution to?

The ideal user story would be something similar to Touch ID as it works on iOS apps, which does not have the same issues because:

- An app can reliably tell if the device has an available Touch ID registration it can prompt the user for.
- A new registration does not break existing registrations — especially not in other apps.

If you replace "Touch ID" with "WebAuthn" and "app" with "browser", then:

- The first bullet is strongly constraint by privacy goals of the WebAuthn spec authors.
- The issue I filed here can address the second bullet for some specific situations.

> 
> From everything I read so far I'm understanding it's something related to handling user login from a "new computer" (new/different browser profile, etc...), but beyond that there're some generalizations that are making it hard to figure out what your exact problem is. Is it some kind of issue related to 2FA-oriented attestation (UP-only, `"none"` attestation) internally generating a discoverable credential that is at risk of being replaced when you try to "upgrade" that user to Passwordless or Usernameless via a "re-registration" (a second attestation requiring UV and direct attestation)?

It's a combination of the following:

- Support a "create or get [or replace]" credential re-association operation https://github.com/w3c/webauthn/issues/1568
- Some platforms will invalidate existing server-side registrations if you make any new registration.
- GitHub has existing security key registrations of platform authenticators.

We are trying to implement [trusted device functionality](https://www.w3.org/TR/webauthn-2/#sctn-authenticator-attachment-modality) given these constraints.

-- 
GitHub Notification of comment by lgarron
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-820019460 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 15 April 2021 02:54:03 UTC