Re: [webauthn] Support `discoverableCredential` field in the API. (#1565) from Lucas Garron via GitHub on 2022-03-23 (public-webauthn@w3.org from March 2022)

From: Lucas Garron via GitHub <sysbot+gh@w3.org>
Date: Wed, 23 Mar 2022 22:57:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1076900006-1648076240-sysbot+gh@w3.org>

> Similar apple will silently replace your discoverable keys in the background if you re-register them on the same domain (even with a different username), meaning you can only have one key per site (so you can't multi-account from a single device).

Whether a site wants to work with discoverable credentials or not, the first half of this (silent overwriting) is already a fact of life with two platform authenticators (Windows Hello and Safari). I don't follow the second half, though, since I'm able to create multiple discoverable credentials in Safari if they're for different accounts. In any case, that's not really relevant to this issue, which is about API ergononics.

> @lgarron It was a little ambiguous to me in the OP, to clarify your ask: you're simply proposing adding a new property `discoverableCredential` to [`AuthenticatorSelectionCriteria`](https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-authenticatorselection) that is a alias of the existing [`residentKey`](https://www.w3.org/TR/webauthn-2/#dom-authenticatorselectioncriteria-residentkey)? And parsing logic related to `residentKey` would then become "if `residentKey` or `discoverableCredential` are `"required"` then..."?

Yeah, although ideally the other way around (i.e. rename `discoverableCredential` to `residentKey`, and make `residentKey` as a legacy alias for `discoverableCredential`).

I suggested in the original post that `discoverableCredential` would completely overwrite `residentKey`, but it doesn't matter exactly — since the goal here is to make the use of `residentKey` a legacy edge case.

> If that's so that seems pretty reasonable to me. Assuming such a thing would make it into L3 then maybe in L4 we could deprecate the `residentKey` argument completely 🤔

I would love to have a chance of dropping `residentKey` to avoid any potential confusion. 😃
But for now, being able to prioritize `discoverableCredential` in all code (most importantly, all public code snippets) would be a huge step to avoiding potential confusion for new RP devs.

What would be a good step forward?

-- 
GitHub Notification of comment by lgarron
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1565#issuecomment-1076900006 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 23 March 2022 22:57:23 UTC