Re: [webauthn] Breaking change in Chrome 95/W10 (#1677)

I was initially thinking about reporting this as a Chromium bug but after researching the issue more including testing with adding `transports` to `allowCredentials` (which worked as expected), it would be technically incorrect calling this a bug.

However, due to Chrome's massive market-share, their implementation can be regarded as "normative".  IMO you actually need a browser/OS-local list of registered credentials _in order to get a reasonable and predictable UX_.  That is, `transports` should remain _redundant_ for `get()` which effectively would be a specification change or clarification.

Requiring RPs to supply additional information to feed `get()` is a clear disadvantage and incompatible with the current WebAuthn ecosystem.  With a proper WebAuthn implementation `credentialId` should be sufficient for targeting a specific credential, while the absence of `credentialId` should provide the user with a list of applicable credentials to choose from.

I would like to hear what GitHub and their likes think about the Chrome update.

GitHub Notification of comment by cyberphone
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Monday, 25 October 2021 05:05:31 UTC