Re: [webauthn] Cross origin authentication without iframes (accommodating SPC in WebAuthn) (#1667)

Unless we find some other field in a discoverable credential to store the canBeUsedFor3PSPC flag, I see there basically being two options.

1. all 3P credentials are created in a different RPID namespace.

- The main problem with this is UX when the RP is trying to use some mix of 1P and 3P credentials for authentication. The browser may need to do multiple UV actions to be able to sort through the two RPID values.   If the RP was willing to not use 3P credentials for authentication, or only 3P credentials for authentication this could work.

2. Use only 1P credentials at the CTAP layer.   If a RP wants to flag a credential as 3P for SPC then that flag would be local to the particular browser instance the credential was created on.   That is basically what we have in the current pilot.  The difference is that in the 1P SPC flow any credential roaming or platform could be used now.   The 3P credentials being used cross-browser and device will need to be deferred to CTAP2.2 for a solution.   That will probably add one to two years to the timeframe for a broad deployment of the 3P credentials in a cross-browser way.

Neither solution seems to be all that the banks are asking for.  However we are trying to adapt an existing platform to the new requirements.  It is not surprising that some compromise is required. 

I guess the advantage of the second option is that it is OK for the 1P use case that seems to be the highest priority and will work with some limitations for 3P SPC in the short term and will work fully after updates.   

The namespace option is a bit of an ugly hack that has no easy fix going forward so will haunt us for a long time.
The one advantage is that it would work with existing authenticators at the cost of RP flexibility.

If CTAP2.2 prioritized this and the new purpose flag field is small enough to put in the credentialID we could see prototypes in 2022.   I don't know how long it would take the platform authenticators to change.  We tend to assume they are just software so could change quickly.  I have yet to actually see that happen with any of them:)   So option 2 would take time before it would work cross-browser.  Depending on the number of browsers planning on supporting SPC this might be an acceptable compromise.

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 15 December 2021 16:06:56 UTC