- From: Pascoe via GitHub <sysbot+gh@w3.org>
- Date: Wed, 26 Jul 2023 15:44:52 +0000
- To: public-webauthn@w3.org
> how does the client know that "an authentication ceremony is [completed] via non-WebAuthn means"? I don't think the client necessarily needs to know. I think it could be hard to get the heuristics right for those manually entering credentials. However, if a password manager is being used, the client can be certain about the time that it autofills. Many password managers also collect some kind of user verification at time of autofill, which could be used for the credential creation as well. > thus that would be a recursive IDL object. Is this a problem? (though made moot by below) > Next, creating a credential requires specifying things like the user.name, user.displayName, and user.id. But if the site has to set the creation parameters at the time of making a conditional get request, it probably doesn't know who the user is. This is a good point. Perhaps the creation options could be provided by a callback. > Lastly, signing in often navigates the page, which aborts all outstanding conditional requests. It might be a little complex for sites to sequence things so that the registration isn't truncated by the navigation and lost. Typically the user agent does the actual navigation / submits the form after an autofill, so I don't think this would be an issue. -- GitHub Notification of comment by pascoej Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1929#issuecomment-1652078954 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 26 July 2023 15:44:57 UTC