W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

Re: [webauthn] Support a "create/get/replace" credential re-association operation (#1568)

From: Lucas Garron via GitHub <sysbot+gh@w3.org>
Date: Tue, 09 Feb 2021 03:31:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-775634687-1612841518-sysbot+gh@w3.org>
## create/get/replace

In the main comment I've only mentioned "create or get". The issue title also includes "replace".

However, GitHub is in a situation where we've been [encouraging users to register platform authenticators as security keys](https://github.blog/2019-08-21-github-supports-webauthn-for-security-keys/). Since it is [impossible to tell if an existing registration (or new registration where the RP did not require a platform authenticator) is for a platform authenticator](https://github.com/w3c/webauthn/issues/1567), we don't know which security keys can be used as platform authenticators.

Because of the current behaviour of Windows Hello and Safari, we need to avoid registering a platform authenticator as both a security key and a [trusted device](https://w3c.github.io/webauthn/#sctn-authenticator-attachment-modality).

So we need a flow where a user can "create or get" a trusted device, but *also* needs to remove a security key registration if it needs to be re-registered as a user-verifying platform authenticator.  In that case, it would be useful to:

- Specify that the browser should "create" if the matching `excludeCredentials` do not satisfy the selection criteria.
- Return the new registration, as well as any matching `excludeCredentials` registrations that were deleted by the platform authenticator as a result of the new registration.

However, I recognize that this is somewhat more complicated. We would also not need it for GitHub if the spec could guarantee that new credentials will only invalidate existing credentials (i.e. only overwrite the [RP, user handle] key in the credential store) if the RP did not specify a required/preferred resident key for the existing credential when it was created.

-- 
GitHub Notification of comment by lgarron
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1568#issuecomment-775634687 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 9 February 2021 03:32:01 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 9 February 2021 03:32:02 UTC