W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2021

Re: [webauthn] webauthn - API need to know the registration status of an platform authenticator (#1639)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Mon, 05 Jul 2021 17:15:36 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-874245968-1625505335-sysbot+gh@w3.org>
We would not add an API that silently reports whether a credential is present on the current machine because that would create an inappropriate tracking vector.

There is a problem that creating a credential can overwrite an existing credential. There is a [proposal](https://github.com/w3c/webauthn/issues/1637#:~:text=preventing%20unintended%20credential%20overwrites) to adopt Window's current behaviour to avoid that.

(You say above that &ldquo;Resident credentials have a lot of zombies&rdquo;. That suggests that the [user handle](https://www.w3.org/TR/webauthn-2/#user-handle) isn't being set correctly: there should only be a single discoverable credential per (RP, user handle) on a given authenticator.)

In terms of knowing whether a credential exists for signing in, there is also a [proposal](https://github.com/w3c/webauthn/issues/1637#:~:text=changes-,conditional%20ui,-Status) to integrate with autocomplete for that.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1639#issuecomment-874245968 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 5 July 2021 17:15:38 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:44 UTC