Re: [webauthn] How to know if a user has already registered a device? (#1749)

Hmmm... That's a pitty.

> A website can't silently check whether the browser already has credentials without triggering the (interactive) sign-in experience (for obvious privacy reasons). 

What would be the privacy issues of a `credentials.exists(credentialId) `? It might be obvious for you but I don't get it. 

> * Ask the browser to show any known credentials in autofill when the user selects a username field, for cases where both passwords and WebAuthn are supported. (Browser support for this is still in development though.)

Well, autofills are notoriously unreliable/inconsistent.

> * Know when the user just signed-in using a non-local device, like a security key or phone, which might be a good signal to try registering the local device.

I wonder if there is confusion about this topic. The goal is to know if credentials should be created for the user or already exist. After all, it's alien for users. They are used to register their account once, not registering their devices individually. With webauthn, instead of register/login, you should have three options:

- create account (credentials.create on new userId) 
- register additional device (credentials.create on existing userId) 
- login (credentials.get) 

Since users are unfamiliar with the concept of registering all they devices separately, it would be a great help to provide guidance to the user by highlighting either "Sign in" or "Register device" if they are on another device... Or "Create account" if they haven't a user account yet. 



-- 
GitHub Notification of comment by dagnelies
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1749#issuecomment-1160057756 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 20 June 2022 07:08:32 UTC