W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] How to know if a user has already registered a device? (#1749)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Sun, 19 Jun 2022 13:20:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1159724981-1655644814-sysbot+gh@w3.org>
A website can't silently check whether the browser already has credentials without triggering the (interactive) sign-in experience (for obvious privacy reasons). It can, however:

* Ask the browser to show any known credentials in autofill when the user selects a username field, for cases where both passwords and WebAuthn are supported. (Browser support for this is still in development though.)
* Know when the user just signed-in using a non-local device, like a security key or phone, which might be a good signal to try registering the local device.
* Set the known credential IDs in the exclude list when calling `create`, which prevents existing credentials from being overwritten without (for platform authenticators) showing the user a visible error.

GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1749#issuecomment-1159724981 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Sunday, 19 June 2022 13:20:17 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC