Re: [webauthn] Should an RP be able to provide finer grained authenticator filtering in attestation options? (#1688)

> This can already be technically achieved using the `allowCredentials` option. At the time of attestation you record enough information to know this credential is of the particular criteria you want, and only populate `allowCredentials` during assertion with the ID's of credentials which match your selected criteria.

People want the ability to do finer grained selection during registration, not authentication. 

For example, if we issue only usb-yubikeys to our employees, when they register the key it should only allow USB transports. 

Today, as it is browsers like chrome will offer for caBLE and USB. If a user tries to use caBLE it will fail, and the RP has to explain why.

Effectively the problem is of communication. Will the Webauthn WG allow RP's to communicate to browsers/users about what devices *are* valid in that context, helping to add constraints and create a positive, error free user experience? Or will the WG reject this issue again, and force RP's to communicate with users "after errors occur", which is a far more difficult process and pushes RP's to have to do much more work, to account for a gap in this standard. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1688#issuecomment-1148034122 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 6 June 2022 23:30:39 UTC