Re: [webauthn] Prevent browsers from deleting credentials that the RP wanted to be server-side (#1569)

> More to the point, there is no way to tell from a successful get response whether the authenticator would satisfy isUserVerifyingPlatformAuthenticatorAvailable() in a fresh browser profile, right?

Yes, In fresh browser profile, you don't know which machine it is. And for privacy reasons, we cannot expose this information over the web.

> I own at least one user-verifying authenticator that is not a platform authenticator, and Yubico has already announced they will sell one.

There are many user-verifying authenticators that are not a platform authenticators and Yubico already sells one. May be you are confusing fingerprint based authenticators with user-verifying based authenticators. user verifying authenticators also consists of authenticators which are local PIN based. 

I have many  user-verifying authenticators types. Some are local PIN based. Some are fingerprint based.


Overall for this issue, Windows has no plans to support non-discoverable credentials. And if RP does not want credentials to be overwritten, they should provide an exclude list with all the credentials.

-- 
GitHub Notification of comment by akshayku
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1569#issuecomment-776674647 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 10 February 2021 12:30:51 UTC