Re: [webauthn] Requesting properties of created credentials. (#1449)

> probably could be generalized for roaming too?

Roaming or not already has the [`authenticatorSelection.authenticatorAttachment` option](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-authenticatorselectioncriteria-authenticatorattachment), and [`getTransports()`](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#dom-authenticatorattestationresponse-gettransports) can sometimes tell what the result ended up being (`"internal"` means platform credential, any other value means roaming; note that both `"internal"` and other values may potentially appear together).

I also think that if an RP needs to _require_ a hardware-backed credential (say, for legal compliance reasons), then that will also require attestation since that's the only way to know for sure (which also means that use case is already supported - in a roundabout way perhaps, but you'll still have to do all that work even if we add a "require hardware-backed" parameter). But a new `AuthenticatorSelectionCriteria` parameter could certainly be useful for less strict use cases were it could be treated more like a hint than a requirement.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1449#issuecomment-863753536 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 18 June 2021 04:52:42 UTC