Re: [webauthn] Add new isPasskeyPlatformAuthenticatorAvailable() method (#1901) from Matthew Miller via GitHub on 2023-06-08 (public-webauthn@w3.org from June 2023)

From: Matthew Miller via GitHub <sysbot+gh@w3.org>
Date: Thu, 08 Jun 2023 22:44:27 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1583533841-1686264265-sysbot+gh@w3.org>

I'm happy for "passkey" to simply be made equivalent in WebAuthn to a "discoverable credential". The sync-ability of discoverable credentials is neither here nor there for the spec, which simplifies things greatly.

Regarding method name, I think `isPasskeyPlatformAuthenticatorAvailable()` ("isPPAA" 🤔) is fine. It's still too long for my personal preference, but because it follows the "PlatformAuthenticatorAvailable" pattern we've got with isUVPAA (and I can't think of a more succinct name for a method like this) then I'd be willing to commit to this one as proposed.

> > `isPlatformBackupEligibleAuthenticatorAvailable()` would be more precise.
> 
> @ndpar that is not what the method is conveying. This PR contains a definition of passkeys, aliased to the existing definition of a discoverable credential.

@ndpar I think I have to agree with Tim on this one, there's of course nothing about a discoverable credential that would prevent one from being used in a hybrid auth flow if it wasn't synced, nor via local platform authenticator under the same conditions. Thus I too believe it's better to leave out the idea of backup eligibility from this method, since all it's trying to establish is a developer-friendly method of intuiting if the conditions are right for passkey auth to likely succeed.

And from the RP's perspective I like that this presents a simple initial feature check that the browser is in a position to do hybrid registration/auth (it's currently impossible, for example, for an RP to understand via JS that a hybrid auth attempt failed because the browser didn't have Bluetooth permissions at the OS level).

I _might_ argue that I'd prefer the check for a client's hybrid prerequisites being satisfied to be a separate API method, then devs could simply chain the existing isUVPAA method with such a hybrid check method. But if we get such a capability to check for that as part of a more full-featured feature detection API somewhere down the line then I think I'd be fine with this method combining the two signals.

-- 
GitHub Notification of comment by MasterKale
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/1901#issuecomment-1583533841 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 8 June 2023 22:44:30 UTC