Re: [webauthn] How to know if a user has already registered a device? (#1749)

A website can't silently check whether the browser already has credentials without triggering the (interactive) sign-in experience (for obvious privacy reasons). It can, however:

* Ask the browser to show any known credentials in autofill when the user selects a username field, for cases where both passwords and WebAuthn are supported. (Browser support for this is still in development though.)
* Know when the user just signed-in using a non-local device, like a security key or phone, which might be a good signal to try registering the local device.
* Set the known credential IDs in the exclude list when calling `create`, which prevents existing credentials from being overwritten without (for platform authenticators) showing the user a visible error.

GitHub Notification of comment by agl
Please view or discuss this issue at using your GitHub account

Sent via github-notify-ml as configured in

Received on Sunday, 19 June 2022 13:20:17 UTC