W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

Re: [webauthn] Surface platform authenticator status in the `create` response / help RPs track UV/PA/RK (#1567)

From: Lucas Garron via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Feb 2021 01:12:02 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-776357837-1612919521-sysbot+gh@w3.org>
> The best we can do at this time is via the credProps extension. Regarding the implementation on one browser vs another, that is not a spec issue.

I probably don't understand the internals well enough; what limits browsers from reporting if a discoverable credential was created?

> Regarding this issue, you can implicitly guess whether the generated credential is bound to the platform authenticator when returning the value as **internal** with [`getTransports`](https://w3c.github.io/webauthn/#dom-authenticatorattestationresponse-gettransports) call.

> API itself contains the attachment property. And the response has `transports` value.

Ah, thanks, i had forgotten about that. That leaves me with 2 thoughts:

1) How safe is it to assume that `internal` means platform authenticator? Do they mean the same thing, or can either refer to something that is not covered by the other?

2) If it's safe to include such data, is it desirable that the API makes authenticator selection-type-statuses available indirectly, and using different opt-in mechanisms?

As discussed in https://github.com/w3c/webauthn/issues/1556 , many devs will probably not collect such data until it's too late. We don't currently collect `transport` data for GitHub (I think it wasn't commonly available in browsers last we visited this), and doing so would entail 1) adding more code to [`webauthn-json`](https://github.com/github/webauthn-json) for everyone, and 2) deciding where to check and store transport data.

It would be much more ergonomic if the value could be extracted from the default API response like user verification.

-- 
GitHub Notification of comment by lgarron
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1567#issuecomment-776357837 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 February 2021 01:12:08 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 10 February 2021 01:12:09 UTC