Re: [webauthn] Credential Creation Options are inconsistent to Request (#1716)

@agl Well there is currently a bit of a mess in the way the spec is setup. Both the RP needs to guide the user into which authenticator they may want to use for example, a passwordless flow, a password + security key, or some other flows we haven't thought of yet. And especially around attestation, we may know that we want a specific type of authenticator to be used. But then the browser has it's own authenticator guidance flows around this device, caBLE, usb keys. 

So the confusion is who's job is it? Is it for the RP to hint to the browser what authenticators are valid so we can tune those work flows and policies of what the user agent displays to the user? 

Or is it out of the RP's hands, and the user agent just does whatever the user wants and the RP has to respond (and potentially reject) registrations / assertions? 

So why would it be different that an RP, especially in a corporate context may want to hint that "hey only usb devices are going to be accepted so don't ask for anything else"?

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1716#issuecomment-1089495916 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 5 April 2022 23:04:45 UTC