Re: [webauthn] Requiring user gesture to call WebAuthn API (#1293)

> I have had other SaaS start to complain about this Ping etc. 

Correct. We had no expectation that this WebKit-only behavior would expand from platform authenticators to all authenticators. 

As an authentication product, changing how the authentication process is integrated between domains is a fundamental change to product integration with our customers. 

Like other companies whitelisted, authentication is done by a separate logical application. Also like many of the other companies whitelisted, we also have that authentication system sometimes under a different eTLD+1 (e.g. federated-style login). This means that the user selects that they want to authenticate on one domain, then is redirected to perform the actual authentication process.  As a result, this use of the first user interaction for authentication would require moving the authentication process to another origin and break existing credential registrations.

Worst case, WebKit users of our products continue to get a degraded user experience (extra click required to confirm again they really really wanted to do webauthn) and some percentage of our customers decide to not support or even disable WebAuthn support with any WebKit-identified user agents as a result of poor user experience.

GitHub Notification of comment by dwaite
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Thursday, 27 May 2021 06:31:44 UTC