[webauthn] Provide a mechanism to indicate backend registration success or failure (#2067) from Eric Stern via GitHub on 2024-05-04 (public-webauthn@w3.org from May 2024)

From: Eric Stern via GitHub <sysbot+gh@w3.org>
Date: Sat, 04 May 2024 00:02:40 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-2278590746-1714780958-sysbot+gh@w3.org>

Firehed has just created a new issue for https://github.com/w3c/webauthn:

== Provide a mechanism to indicate backend registration success or failure ==
## Description

When registering a new credential (in particular using passkeys), there exists a weird edge case where the browser APIs succeed but the backend processing fails or hangs. This can result in a confusing experience for users later on when authenticating - the browser can now suggest and even autofill a passkey that's completely unusable by the relying party.

I think it would be possible to alleviate this problem by expanding the `navigator.credentials.create()` API. In terms of ergonomics I'm not sure what would be best, but the gist of it would be adding something like `discardIfNotConfirmedAfter: duration` as a new optional parameter and, if provided, use it to hint that the credential isn't (yet) usable and should be removed from storage if a follow-up API isn't called. I could see something like `navigator.credentials.confirm(credential.rawId)` or an equivalent method added to the attestation that .create() returns)

Loosely:
```ts
const attestation = await navigator.credentials.create({
  publicKey: {
    discardIfNotConfirmedAfter: 30000, // milliseconds
    challenge,
    // ...
  }
})
const serverResponse = await storeCredentialWithRelyingParty(attestation) // Some site-specific procedure
// If this is not called with 30s of the .create() promise resolving AND the
// created credential is discoverable, then it could be discarded from storage
attestation.confirm() 
```

If the value is not provided, then the current behavior (of immediate storage) should be retained.

I've seen a couple discussions around adding APIs to edit existing credentials (to e.g. allow an RP to indicate to the browser that a previously-registered credential is no longer usable or should be renamed) that are generally in this same space.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2067 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 4 May 2024 00:02:41 UTC