W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

Re: [webauthn] Prevent browsers from deleting credentials that the RP wanted to be server-side (#1569)

From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
Date: Wed, 10 Feb 2021 12:30:48 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-776674647-1612960247-sysbot+gh@w3.org>
> More to the point, there is no way to tell from a successful get response whether the authenticator would satisfy isUserVerifyingPlatformAuthenticatorAvailable() in a fresh browser profile, right?

Yes, In fresh browser profile, you don't know which machine it is. And for privacy reasons, we cannot expose this information over the web.

> I own at least one user-verifying authenticator that is not a platform authenticator, and Yubico has already announced they will sell one.

There are many user-verifying authenticators that are not a platform authenticators and Yubico already sells one. May be you are confusing fingerprint based authenticators with user-verifying based authenticators. user verifying authenticators also consists of authenticators which are local PIN based. 

I have many  user-verifying authenticators types. Some are local PIN based. Some are fingerprint based.

Overall for this issue, Windows has no plans to support non-discoverable credentials. And if RP does not want credentials to be overwritten, they should provide an exclude list with all the credentials.

GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-776674647 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 10 February 2021 12:30:51 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 10 February 2021 12:30:51 UTC