- From: Martin Kreichgauer <martinkr@google.com>
- Date: Fri, 14 Oct 2022 13:12:27 -0700
- To: W3C Web Authn WG <public-webauthn@w3.org>, public-webauthn-adoption@w3.org
- Message-ID: <CAB=fcEaCzZTkfHqcuTWkNm_iZhVuMVE7TRVcCJfK=YCLGMPPdQ@mail.gmail.com>
Dear WebAuthn Adoption Community Group and WebAuthn Working Group, We would like to give you an early heads-up of some changes to Chrome’s WebAuthn implementation on Desktop that we’re planning to release as soon as Chrome 108 <https://chromiumdash.appspot.com/schedule>. First, as we have announced previously <https://lists.w3.org/Archives/Public/public-webauthn/2022Sep/0164.html>, Chrome Conditional UI is now enabled by default. And Chrome Settings includes a UI that lets you manage your passkeys on Windows and Mac. We are also updating the illustrations in the tab-modal dialog that Chrome shows while a WebAuthn request is pending, and are changing instruction strings in this dialog to refer to ‘passkeys’. On macOS, Chrome has for a while now included its own platform authenticator, which stores credentials on the local device and ties them to the user’s Chrome profile. When creating a passkey on this platform authenticator, the tab-modal request dialog now includes a prompt that displays the user account information <https://w3c.github.io/webauthn/#dictionary-user-credential-params> associated with the request, before showing the “native” macOS Touch ID prompt. When asserting a passkey from the macOS platform authenticator, the prompt to select a passkey is now shown before the macOS Touch ID prompt. All new credentials created on Chrome’s macOS platform authenticator are now always created client-side discoverable <https://w3c.github.io/webauthn/#client-side-discoverable-credential>, thus aligning with the behavior of some other platform authenticators. Any existing non-discoverable credentials on the macOS platform authenticator continue to be non-discoverable. Lastly, on Windows, WebAuthn UI is currently split between Chrome’s own browser UI, which supports phones as authenticators, and the Windows “native” WebAuthn UI, which supports FIDO security keys and the Windows platform authenticator. We are now changing in which cases Chrome shows its own browser UI ahead of the native Windows WebAuthn system dialog: - For create() request with residentKey=’required’ and for get() requests with an empty allowCredentials parameter, Chrome will show a browser dialog that lets the user choose between using a phone, or using a USB security key or Windows Hello through the native Windows UI. - For other types of requests, Chrome shows the Windows WebAuthn dialog immediately. Users wishing to use a phone for these requests must cancel out of the native UI first. As alway, if you find anything broken, please file a bug <https://crbug.com/new>! Thanks, Martin Kreichgauer for the Chrome WebAuthn team
Received on Friday, 14 October 2022 20:14:25 UTC