- From: Chad Killingsworth via GitHub <sysbot+gh@w3.org>
- Date: Wed, 07 Sep 2022 17:27:46 +0000
- To: public-webauthn@w3.org
> But it seems the concern is that all of their credentials might be (non-synced) platform credentials on different machines than the current one? Yes. In general, the implementors (including myself) are very leery of launching the modal UI flow unless their is a near-guarantee that the user has valid a valid credential available. Since the spec is specifically written to prohibit this level of advance knowledge it makes it difficult to funnel users to the superior webauthn flows vs traditional passwords. > Wouldn't supporting the current credentialID allowlist pattern in Conditional UI be simpler than trying to add a filter on user-id? Yes that would definitely solve the issue. I almost wrote that into the initial post, but didn't want to focus the issue solely on that solution. > I don't think the Autofill UI is the right pattern for the the step up use case. You generally don't show the user a username field to ask them to step up. The Autofill UI is designed to address initial sign in. I'm not sure that is accurate. The webauthn Conditional UI autofill token is valid on both a username or a password input field. Conditional UI was designed to work around the privacy concerns of exposing to the user agent the existence of credentials in advance and the poor UI experience otherwise encountered by simply proactively launching the modal flow. -- GitHub Notification of comment by ChadKillingsworth Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1793#issuecomment-1239680051 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 7 September 2022 17:27:48 UTC