Re: [webauthn] Cross origin authentication without iframes (accommodating SPC in WebAuthn) (#1667)

Based on a credentialID the platform can determine if that credentilID exists on the authenticator assuming that it is not created at credprotect level 3.   In principal the flag could be reported in an extension as part of the normal get assertion with UV=0 UP=0.   We could also do something with credential management, however that currently requires authentication.

It gets more complicated if there is a requirement for this to work without an allow list.  
Without the credential ID you would need an authentication if the credentials are created at credprotect level 2 (The default in Chrome)

One option would be to always create cross-origin capable credentials at credprotect level 1.   That would allow them to be discovered without forcing a user verification first.  

That was the original design but the Google privacy team  wanted to enforce some sort of authentication before relating the information as I bleve they consider the RPID storage to be sensitive.   @AGL will have better info on those concerns that might resurface if we start making discoverable credentials at L1.

Not a problem if there is always an allow list.

John B.

-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1667#issuecomment-1060996723 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 7 March 2022 18:28:20 UTC