Re: [webauthn] Surface platform authenticator status in the `create` response / help RPs track UV/PA/RK (#1567)

> The best we can do at this time is via the credProps extension. Regarding the implementation on one browser vs another, that is not a spec issue.

I probably don't understand the internals well enough; what limits browsers from reporting if a discoverable credential was created?

> Regarding this issue, you can implicitly guess whether the generated credential is bound to the platform authenticator when returning the value as **internal** with [`getTransports`]( call.

> API itself contains the attachment property. And the response has `transports` value.

Ah, thanks, i had forgotten about that. That leaves me with 2 thoughts:

1) How safe is it to assume that `internal` means platform authenticator? Do they mean the same thing, or can either refer to something that is not covered by the other?

2) If it's safe to include such data, is it desirable that the API makes authenticator selection-type-statuses available indirectly, and using different opt-in mechanisms?

As discussed in , many devs will probably not collect such data until it's too late. We don't currently collect `transport` data for GitHub (I think it wasn't commonly available in browsers last we visited this), and doing so would entail 1) adding more code to [`webauthn-json`]( for everyone, and 2) deciding where to check and store transport data.

It would be much more ergonomic if the value could be extracted from the default API response like user verification.

GitHub Notification of comment by lgarron
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 10 February 2021 01:12:08 UTC