Re: [webauthn] Cross origin authentication without iframes (#1667)

The conditional UI could work with an allow list.  That is however a
conversation for the conditional UI.

At this point I don't think SPC is using anything specific to discoverable
credentials.

I don't see why if you can get the SPC code into chrome on Android that you
shouldn't let it work with the existing android platform authenticator.
 All of the credentials on Android are resident, they are just not
discoverable because Android lacks the credential selection UI, but you are
not using that in SPC.

I think doing SPC without an allow list is probably a bad idea and likely
to get more push back than non discoverable credentials.

I do think we need to store the flag to allow cross origin in the
credential itself so that may lead us to some sort of resident credential
that is not accessible without an allow list.  A bit like CredProtect level
2, or stirring the flag in the credentialID.

The idea of the bank sending a signed allow list for the specific RP may
also be worth looking at.   That is just a change to the allow list and not
the payment flow.   The only problem with that is how the browser validates
the signature.

John B.



On Fri, Sep 3, 2021, 5:41 PM Stephen McGruer via GitHub <sysbot+gh@w3.org>
wrote:

> > I don't quite get why the requirement for discoverable credentials.
> While this should work for discoverable credentials when an allow list is
> provided, I don't see any reason that a discoverable credential is required.
>
> The reason I've pushed for Discoverable Credentials isn't related to the
> third-party initiated authentication ceremony. It is related to SPC's
> ability to only show the browser transaction UX if the credentials match
> this device (i.e. if there's a chance the user **could** succeed, assuming
> they wish to and that they can pass the WebAuthn ceremony). This seems very
> close to Conditional UI (which is in some ways solving the same question...
> roughly), and Conditional UI requires Discoverable Credentials.
>
> If we can find a way of doing that without requiring Discoverable
> Credentials, SGTM!
>
> --
> GitHub Notification of comment by stephenmcgruer
> Please view or discuss this issue at
> https://github.com/w3c/webauthn/issues/1667#issuecomment-912825771 using
> your GitHub account
>
>
> --
> Sent via github-notify-ml as configured in
> https://github.com/w3c/github-notify-ml-config
>
>

Received on Friday, 3 September 2021 22:51:33 UTC