[webauthn] Support Filtering by Username in Conditional UI (#1793) from Chad Killingsworth via GitHub on 2022-09-05 (public-webauthn@w3.org from September 2022)

From: Chad Killingsworth via GitHub <sysbot+gh@w3.org>
Date: Mon, 05 Sep 2022 13:54:13 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1362022179-1662386051-sysbot+gh@w3.org>

ChadKillingsworth has just created a new issue for https://github.com/w3c/webauthn:

== Support Filtering by Username in Conditional UI ==
## Description

It is common for sites to re-confirm an already authenticated user's password to perform sensitive operations in an application - such as changing a username, two-factor auth setting or any other security related data point. Replacing this flow with user verifying authenticator credentials is required to fully eliminate password use.

As I worked on implementing Conditional UI, I realized that while the confirming credentials can only be for the currently authenticated user, Conditional UI provides no way to filter those credentials. Choosing the credentials of any user except the currently authenticated one will always fail. 

<img width="630" alt="Screenshot 2022-09-05 at 8 31 21 AM" src="https://user-images.githubusercontent.com/1247639/188463128-ac9338a2-a132-4f42-bc53-ed0acc8043f6.png">

While the Conditional UI explainer [explicitly requires an empty allowCredentials list](https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI#empty-allowcredentials), it seems like this use case was not considered. In traditional password based flows, a hidden field with the username is utilized to hint to password managers which credential is being requested.

Conditional UI needs a method to filter or at least hint which user's credentials are acceptable for this use case.

## Related Links

Without a Conditional UI hint, implementers will be forced to rely on some sort of browser state to prevent a negative user interaction which will incur all of the original problems leading to the development of the Conditional UI: https://github.com/w3c/webauthn/issues/1356

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1793 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 5 September 2022 13:54:14 UTC