Re: [webauthn] Prevent browsers from deleting credentials that the RP wanted to be server-side (#1569)

> > In that case, the RP cannot create a new registration without the risk of silently invalidating old registration.
> Don't understand. Why would existing registration will not suffice? And if a new credential is created somehow, then that credential will work.
> >

> Sorry, don't understand the need for it. Once a credential is created, RP should check for `uv` bit to figure out whether that credential can be used for passwordless flows. And in .get() call you pass all the credentials which are `uv` capable to the authenticator if you are doing the with-username flows.

We [don't know]( which existing registrations are a discoverable credentials and/or platform authenticators. In particular, there is no way to tell from a successful `get` response whether the authenticator be detected by `isUserVerifyingPlatformAuthenticatorAvailable()` in a fresh browser profile, right?

I own at least one user-verifying authenticator that is not a platform authenticator, and Yubico has already announced they will sell one.

> Windows don't store the request details, so we don't know.

That's good to know!

GitHub Notification of comment by lgarron
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Wednesday, 10 February 2021 01:18:10 UTC