Re: [webauthn] Cross origin authentication without iframes (#1667)

> I don't quite get why the requirement for discoverable credentials. While this should work for discoverable credentials when an allow list is provided, I don't see any reason that a discoverable credential is required.

The reason I've pushed for Discoverable Credentials isn't related to the third-party initiated authentication ceremony. It is related to SPC's ability to only show the browser transaction UX if the credentials match this device (i.e. if there's a chance the user **could** succeed, assuming they wish to and that they can pass the WebAuthn ceremony). This seems very close to Conditional UI (which is in some ways solving the same question... roughly), and Conditional UI requires Discoverable Credentials.

If we can find a way of doing that without requiring Discoverable Credentials, SGTM!

GitHub Notification of comment by stephenmcgruer
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Friday, 3 September 2021 21:41:44 UTC