- From: Lucas Garron via GitHub <sysbot+gh@w3.org>
- Date: Thu, 07 Jan 2021 05:46:27 +0000
- To: public-webauthn@w3.org
I'm glad to see this! While working on passwordless WebAuthn support for GitHub, we ran into frustrating limitations. We can only implement a [trusted device](https://www.w3.org/TR/webauthn-2/#sctn-authenticator-attachment-modality) "remember me" feature based on cookies, but we can't yet "get rid of" passwords. If/when we try to do that, we have to introduce yet another concept parallel to security keys and trusted devices that depends on resident keys (and that's not even speaking of roaming authenticators as a potential 4th concept). It would be really valuable to have allow a call to `get()` that: - Does not require a user gesture to call. - Has the browser show a prompt for "Do you want to log into this site?" (similar to a "Do you want to add this site to your home screen?" prompt). Since the spec seems to fall pretty strongly on the side of making the browser explain what's going on (in lieu of returning detailed errors for the site to explain), the browser could then be in charge of the entire prompt and account selection, and only return the Promise once it's all done. That would make it super easy to include on the login page. I'd like to also submit for consideration the possibility of allowing the user to select *either* using a resident credential, *or* using one of the `allowCredentials` entries. Right now, the signal for the former is an empty list, so one option would be to add another field inside the options data, or another option would be to specify how to handle multiple requests at the same time. This allows the cookie-based trusted device model to continue working, while also supporting the dream world of allowing passwordless login from a fresh profile (e.g. using credentials synced using a keychain or password manager). > WebAuthn could provide a signal to user-agents that a gentler presentation is desired such that sites can always trigger such a WebAuthn request on their login name and leave it up to the browser to show a suitable amount of UI. I would love to see a way to keep this both "passwordless" and "usernameless". This a nicer user experience, and for sites that have a login form with username and password together: - Some (many?) users generally don't fill out the username field without a password manager that also fills out the password field, so this doesn't really improve their UX. - It would be disruptive if the prompt showed up after finishing the username field. If the relevant code uses an asynchronous call (quite reasonable for an async API like WebAuthn, and very likely if `allowCredentials` need to be pulled from the server), the prompt might not appear until the user has started interacting with the password field. If they are typing, their keyboard inputs may be sent to the prompt by accident. It would also allow the user to select from multiple potential accounts visually, instead of having to remember what identifier (username, email, phone number, etc.) to put into the username field. -- GitHub Notification of comment by lgarron Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1545#issuecomment-755899415 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 7 January 2021 05:46:29 UTC