Re: [webauthn] Managing FIDO keys (#1612)

I'm not sure what you mean by "scoping feature", care to elaborate?

Thinking about what a "delete credential" command in WebAuthn would look like and whether it would be useful if we were to add it... and I think that it would in fact not be all that useful, for a combination of reasons. First off: in terms of security, there's no strict need to delete credentials from the authenticator since the RP can simply stop accepting signatures from them, so the reasons to delete credentials all come from user experience concerns. And I don't think we expect end-users to be fully aware of the difference between resident and non-resident credentials, so a delete command might just add confusion since it is only relevant for resident credentials.

Also, @MasterKale's advice above already solves most of the things a delete command would: you avoid the user being confused by an account picker showing more "accounts" than the user has, and you avoid inadvertently exhausting a user's authenticator storage with replacement credentials. By consistently setting the same user handle for all credential registrations for a given account, you ensure that the user will only see one option (per account) in username-less account pickers. Beyond that, the only real reason to delete credentials from the authenticator is to reclaim that one slot of storage capacity.

But then, that means that deleting credentials only really becomes relevant when authenticator storage is full. This would most likely become an issue when the user is trying to register to a _new_ RP, which of course wouldn't be allowed to delete credentials for other RPs even if WebAuthn did offer a "delete" API. So it might be more user-friendly in that case to just have the client inform the user that storage is full, and (if the authenticator supports it) offer to open credential management where they can delete credentials they no longer need.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Monday, 17 May 2021 22:01:14 UTC