Re: [webauthn] Can RPs assume that `InvalidStateError` for `create()` means an excludeCredentials match? (#1566)

It seems that you tries to prompt "platform authenticator" when the user visits sign-in pages and he/she has already registered the "platform authenticator" with that device.
And also you don't want to prompt authentication with all the list of allowCredentials whether the registered credential is discoverable or not in a first place.

My understanding is that RP would rely on some "ambient credential" (with cookie or something) indicating the user registered the platform authenticator in that machine (and browser as well).

So, if there is any client side "ambient credential" when the user visits sign-in pages, you can prompt the webauthn authentication (depending on your policy, you may include that user's other credential). 
In normal cases, the user goes through user verification (Touch Id or something) and you get authentication.
In some error cases, you might get "NotAllowedError" saying that the user might cancel the operation (user verification) or there i s no available authenticator with the credential ids (maybe swiped out).

In this case you can provide a button for the user to retry the webauthn authentication so that the user might retry or sign in with the password. (since you cannot distinguish "user cancel" and "not available authenticator")
If the user sign in with the password, you might ask re-registration of platform authenticator.

If there is no ambient credential, you'd better not asking webauthn authentication (trusted device) in a first place.

1.  The user needs to sign in with the password first
2.  You can determine whether the user has already registered the platform authentication with that device by asking additional webauthn authentication prompt (if there is any registered platform authentication to that user).
If the webauthn authentication is successful, you might create ambient credential for this browser (and device).
3.  If there is no platform authenticator credential for the user, you can ask for the user to register their platform authenticator.
Then, you create the ambient credential for trusted device.

That said you need to rely on the "ambient credential" when you prompt the "trusted device" authentication and you should create "ambient credential - hint" on the every browsers (when the user register their platform authenticator or authenticate with platform authenticator).

GitHub Notification of comment by Kieun
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Saturday, 20 February 2021 03:35:00 UTC