W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

Re: [webauthn] Prevent browsers from deleting credentials that the RP wanted to be server-side (#1569)

From: Lucas Garron via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Feb 2021 01:18:09 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-776360122-1612919888-sysbot+gh@w3.org>
> > In that case, the RP cannot create a new registration without the risk of silently invalidating old registration.
> 
> Don't understand. Why would existing registration will not suffice? And if a new credential is created somehow, then that credential will work.
> 
> >

> Sorry, don't understand the need for it. Once a credential is created, RP should check for `uv` bit to figure out whether that credential can be used for passwordless flows. And in .get() call you pass all the credentials which are `uv` capable to the authenticator if you are doing the with-username flows.

We [don't know](https://github.com/w3c/webauthn/issues/1567) which existing registrations are a discoverable credentials and/or platform authenticators. In particular, there is no way to tell from a successful `get` response whether the authenticator be detected by `isUserVerifyingPlatformAuthenticatorAvailable()` in a fresh browser profile, right?

I own at least one user-verifying authenticator that is not a platform authenticator, and Yubico has already announced they will sell one.

> Windows don't store the request details, so we don't know.

That's good to know!

-- 
GitHub Notification of comment by lgarron
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-776360122 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 February 2021 01:18:10 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 10 February 2021 01:18:11 UTC