Re: [webauthn] Requiring user gesture to call WebAuthn API (#1293)

• From: =JeffH via GitHub <sysbot+gh@w3.org>
• Date: Tue, 04 May 2021 22:02:57 +0000
• To: public-webauthn@w3.org
• Message-ID: <issue_comment.created-832279883-1620165775-sysbot+gh@w3.org>

Just to note: although @alanwaketan's original framing says "Requiring user _gesture_..." --- which some may confuse with the WebAuthn API's notion of requiring (or not) a "gesture" for user verification --- it seems this is actually in regards to the (sort of new) HTML notion of **"[Tracking user activation](https://html.spec.whatwg.org/#tracking-user-activation)"**, and there being Web APIs that are "[gated by user activation](https://html.spec.whatwg.org/#user-activation-gated-apis)".

The latter is described as: "user agents allow [the RP to call certain] APIs only when the user is actively interacting with the web page or has interacted with the page at least once". Thus it seems it is a notion distinct from WebAuthn's "gesture" for user verification.

Nominal assessment (disclaimer: AFAICT)

1. A given Web API is obliged to assess its characteristics and decide whether it ought to be "gated by user interaction", and if so, in which style. This may require updating the Web API's algorithm's specifications.  E.g., see [WebPayment's show() method](https://www.w3.org/TR/payment-request/#show-method), steps 2 & 3. [ It also appears by inspection that the latter method would be classified as a "[transient activation-consuming API](https://html.spec.whatwg.org/#activation-consuming-api)" (if the spec authors were to document their user activation classification), fwiw ]  [1]

2. The WebAuthn spec is presently unaware of "user activation", and so does not explicitly accommodate it.

3.1. It appears that updates to WebKit, as noted immediately above in https://github.com/w3c/webauthn/issues/1293#issuecomment-829751750 and https://github.com/w3c/webauthn/issues/1293#issuecomment-829789071, have imposed a notion of "user activation" upon use of the WebAuthn API in WebKit-based UAs, while other UAs have not done so (?).

3.2. It is not clear (to me) from https://trac.webkit.org/changeset/272345/webkit in which fashion, as classified in "[APIs gated by user activation](https://html.spec.whatwg.org/#user-activation-gated-apis)",  WebKit has imposed its user activation requirement upon the WebAuthn API.

Conclusions: 

C1. We ought to determine whether we need to update the WebAuthn API spec to explicitly handle "user activation" in some fashion that we agree on, such that it's implemented uniformly in UAs.

C2. This issue ought to actually be entitled "**Requiring _user activation_ to call WebAuthn API**"

C3. Given this assessment as well as https://github.com/w3c/webauthn/issues/1293#issuecomment-829751750 and https://github.com/w3c/webauthn/issues/1293#issuecomment-829789071, I'm re-opening this issue.

cc: @akshayku @agl

[1] Some other specs explicitly handling "user activation" are (not an exhaustive list):
* WebXR: https://www.w3.org/TR/webxr/#applicationflow
* Audio-Output: https://www.w3.org/TR/audio-output/#dom-mediadevices-selectaudiooutput

-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1293#issuecomment-832279883 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 4 May 2021 22:02:59 UTC