Re: [webauthn] Support a "create/get/replace" credential re-association operation (#1568)

## create/get/replace

In the main comment I've only mentioned "create or get". The issue title also includes "replace".

However, GitHub is in a situation where we've been [encouraging users to register platform authenticators as security keys]( Since it is [impossible to tell if an existing registration (or new registration where the RP did not require a platform authenticator) is for a platform authenticator](, we don't know which security keys can be used as platform authenticators.

Because of the current behaviour of Windows Hello and Safari, we need to avoid registering a platform authenticator as both a security key and a [trusted device](

So we need a flow where a user can "create or get" a trusted device, but *also* needs to remove a security key registration if it needs to be re-registered as a user-verifying platform authenticator.  In that case, it would be useful to:

- Specify that the browser should "create" if the matching `excludeCredentials` do not satisfy the selection criteria.
- Return the new registration, as well as any matching `excludeCredentials` registrations that were deleted by the platform authenticator as a result of the new registration.

However, I recognize that this is somewhat more complicated. We would also not need it for GitHub if the spec could guarantee that new credentials will only invalidate existing credentials (i.e. only overwrite the [RP, user handle] key in the credential store) if the RP did not specify a required/preferred resident key for the existing credential when it was created.

GitHub Notification of comment by lgarron
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Tuesday, 9 February 2021 03:32:01 UTC