W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2021

Re: [webauthn] Requiring user gesture to call WebAuthn API (#1293)

From: David Waite via GitHub <sysbot+gh@w3.org>
Date: Thu, 27 May 2021 06:31:42 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-849366962-1622097100-sysbot+gh@w3.org>
> I have had other SaaS start to complain about this Ping etc. 

Correct. We had no expectation that this WebKit-only behavior would expand from platform authenticators to all authenticators. 

As an authentication product, changing how the authentication process is integrated between domains is a fundamental change to product integration with our customers. 

Like other companies whitelisted, authentication is done by a separate logical application. Also like many of the other companies whitelisted, we also have that authentication system sometimes under a different eTLD+1 (e.g. federated-style login). This means that the user selects that they want to authenticate on one domain, then is redirected to perform the actual authentication process.  As a result, this use of the first user interaction for authentication would require moving the authentication process to another origin and break existing credential registrations.

Worst case, WebKit users of our products continue to get a degraded user experience (extra click required to confirm again they really really wanted to do webauthn) and some percentage of our customers decide to not support or even disable WebAuthn support with any WebKit-identified user agents as a result of poor user experience.

-- 
GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1293#issuecomment-849366962 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 27 May 2021 06:31:44 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC