Re: [webauthn] conditional UI via mediation (#1576)

Further considerations upon reflection: wrt the proposed `silentCredentialDiscovery` operation, how will that interact with credentials' "[credential protection policy](" (aka "[credProtect](") ?  
( apologies if someone has already explained this and I've forgotten... )

 AFAiCT, in the present conditional media formulation (up thru ff37db6) the user does not even have to "interact" with page before the client platform invokes the `silentCredentialDiscovery` operation.  If an  authenticator becomes available and it supports the `silentCredentialDiscovery` operation, discoverable creds mapped to the present RP ID are enumerated, and user verification has not yet occurred (IIUC).  What happens if those creds were created at credProtect levels 2 or 3 ?  Presently, the latter creds would not be discovered.

RPs may override any platform-imposed credProtect policy --- are we implicitly assuming that RPs creating new user creds and wishing to employ conditional mediation need to also explicitly stipulate a credProtect policy of 1 (userVerificationOptional) when creating (discoverable) creds ?

In any case, IIUC, we probably ought to Note here in the WebAuthn spec credProtect implications wrt conditional mediation and provide some appropriate guidance for RPs ...?

GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Monday, 8 November 2021 23:51:26 UTC