Re: [webauthn] webauthn - API need to know the registration status of an platform authenticator (#1639) from Adam Langley via GitHub on 2021-07-05 (public-webauthn@w3.org from July 2021)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Mon, 05 Jul 2021 17:15:36 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-874245968-1625505335-sysbot+gh@w3.org>

We would not add an API that silently reports whether a credential is present on the current machine because that would create an inappropriate tracking vector.

There is a problem that creating a credential can overwrite an existing credential. There is a [proposal](https://github.com/w3c/webauthn/issues/1637#:~:text=preventing%20unintended%20credential%20overwrites) to adopt Window's current behaviour to avoid that.

(You say above that &ldquo;Resident credentials have a lot of zombies&rdquo;. That suggests that the [user handle](https://www.w3.org/TR/webauthn-2/#user-handle) isn't being set correctly: there should only be a single discoverable credential per (RP, user handle) on a given authenticator.)

In terms of knowing whether a credential exists for signing in, there is also a [proposal](https://github.com/w3c/webauthn/issues/1637#:~:text=changes-,conditional%20ui,-Status) to integrate with autocomplete for that.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1639#issuecomment-874245968 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 5 July 2021 17:15:38 UTC