Re: [webauthn] Breaking change in Chrome 95/W10 (#1677)

> IMO you actually need a browser/OS-local list of registered credentials _in order to get a reasonable and predictable UX_.

That isn't sufficient, though, because the browser cannot assume that the user has not at some point used a different browser or machine to register some credentials.

> With a proper WebAuthn implementation `credentialId` should be sufficient for targeting a specific credential

You're right that this is sufficient to allow client to conclude that a particular credential _is_ available, but it is not sufficient to allow the client to conclude that a particular credential _is not_ available, which is what allows for the UX optimizations @sbweeden mentioned. The prime example being if `allowCredentials: [{ id: "A", transports: ["internal"] }]` and no platform authenticator has that credential, then the client can conclude that there's no need to ask the user to plug in a security key they don't have. But it is impossible in general for the client to have this information on its own since some credentials may have been registered elsewhere.

Even with a client-side cache of transport hints, that still wouldn't remove the need for the RP to initialize new cache entries whenever a credential is added. And at that point there's no reason the RP can't just _always_ add the transport hints.

GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Monday, 25 October 2021 14:16:24 UTC