Re: [webauthn] Cross origin authentication without iframes (#1667) from Stephen McGruer via GitHub on 2021-08-30 (public-webauthn@w3.org from August 2021)

From: Stephen McGruer via GitHub <sysbot+gh@w3.org>
Date: Mon, 30 Aug 2021 18:14:45 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-908573008-1630347284-sysbot+gh@w3.org>

Hi Akshay,

You're asking an important question here, so thank you and I apologize for not covering this explicitly in my presentation.

> which probably originated from web payments groups

For the record, there is no probably. Secure Payment Confirmation has been developed entirely within the W3C Web Payments Working Group from its inception >1 year ago to today. 

> [...] I don't understand how browser will determine [whether a credential is SPC-enabled].

The unappealing answer for today is: we currently store a browser-local list of credentials created in that browser with SPC permission, and require at auth-time that a credential matches the list. This has **many** issues of course, and so is not the long-term plan.

The longer-term plan should be authenticator-based, I think - perhaps a platform authenticator API in the intermediate future, or a CTAP bit in the longer-term to enable all authenticators. Or there may be a superior solution that the WebAuthn WG are better able to come up with (as my FIDO-level knowledge falls short!).

> If that results in authenticator deciding it, then that webauthn system pop still comes up probably resulting in "No such credentials found". Which no other origin has ability to do today. And that is a UI problem.

My hope is that the same APIs required for [Conditional UI](https://github.com/w3c/webauthn/issues/1637) will enable SPC without a platform 'No such credentials' prompt. The question one is trying to answer from the browser code is "Do any of these credentials exist on this device **and** are enabled for SPC". The first half is close to Conditional UI, the second half is new.

This long term plan would require Discoverable Credentials, and that is why I believe [SPC should require them too](https://github.com/w3c/secure-payment-confirmation/issues/92).

-- 
GitHub Notification of comment by stephenmcgruer
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-908573008 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 30 August 2021 18:14:47 UTC