W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2021

Re: [webauthn] Can RPs assume that `InvalidStateError` for `create()` means an excludeCredentials match? (#1566)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Mon, 22 Feb 2021 03:51:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-783057390-1613965918-sysbot+gh@w3.org>
I'm thinking that shared credential for the platform authenticator across browsers is similar concept to roaming authenticator, because the credential can be roaming between browsers.

You can guess if you get "InvalidStateError" when you try to create the credential for the platform authenticator. But, you never 100% confirm that the credential can be used for the authentication without asking authentication.
My guess is that you might create the "ambient credential" if you get "InvalidStateError" during create call.


> Unless I'm misunderstanding, these two are exactly at odds. If we follow step 2 as written, then we are asking the user for authentication at a time when there is no ambient credential. We can try to dress it up a friendly UI, but there is no way to control the browser UI for this, which is designed for authentication.

After the user logs in with the password in case of no ambient credential on the browser, you could identify whether the user has registered the platform authenticator before or not.
If there is no platform authenticator registration, you might finish sign-in process or asking 2FA depending on the user's security settings.

If there is, you could ask WebAuthn authentication w/ allowList (also indicating internal transport as well), then browser will handle that request.

- Depending on the browser, **the browser might not show any UI and just return an error.**

Then, you can explicitly know that the user can authenticate with the platform authenticator on that browser if the authentication is successful.

The other thought is that you just simply call create function without the exclude credential. Instead, you might need to use another attribute for ambient credential instead of generated credential id or something.




 

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1566#issuecomment-783057390 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 22 February 2021 03:52:01 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:42 UTC