- From: Lucas Garron via GitHub <sysbot+gh@w3.org>
- Date: Thu, 15 Apr 2021 03:04:39 +0000
- To: public-webauthn@w3.org
> * If there is no ambient credential (maybe fresh browser or cookies are cleared), you just prompt normal authentication process with password. Then, RP can get associated credentials for that user and search credentials for platform authenticator and ask for the user authentication with those credential in the allowList. We have the following issues with this: - The user is already authenticated. We would have to explain that we are putting a WebAuthn *authentication* prompt even though the real purpose is *registering* a trusted device. That's pretty confusing for a general purpose audience. - Any time the user logs into a new device, the *expected* flow for registration will start with a prompt that is guarantted to end in an error — where we can't control how the browser explains the error. - If the existing registration is a security key, we may need to detect and delete the existing security key registration with the new registration. This requires careful logic (so the user can't accidentally get stuck in a state with neither the old nor the new registration, or with a non-working registration), and implementing an extra UI. Our trusted device implementation could be significantly simpler if we could assume that old security key registrations (which we did not ask the browser to make discoverable) will not be invalidated as a side effect of the new functionality. -- GitHub Notification of comment by lgarron Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-820022886 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 15 April 2021 03:04:40 UTC