Re: [webauthn] Surface platform authenticator status in the `create` (and maybe `get`) response / help RPs track UV/PA/RK (#1567) from Emil Lundberg via GitHub on 2024-09-24 (public-webauthn@w3.org from September 2024)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 24 Sep 2024 22:09:49 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2372474531-1727215787-sysbot+gh@w3.org>

I would argue that most of these are addressed at this point:

> ## Whether the registration is for a user-verifying authenticator

This is now sort-of available via [getAuthenticatorData()](https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-authenticatorattestationresponse-getauthenticatordata) followed by a static byte index (`[32]`) and bitmask (`& 0b100`), no CBOR library needed. Only if the RP requests `userVerification: "preferred"` or `"required"`, but maybe that's close enough.


> ## Whether the registration is a discoverable credential (resident key)

As mentioned above, this is available in the `credProps` extension output.


> ## Whether the registration is a platform authenticator
> [...]
> 1. It would be nice to receive information whether the registration comes from a platform authenticator, at least in the case where the RP specifically asked for it.

This is now available as the [`PublicKeyCredential.authenticatorAttachment`](https://www.w3.org/TR/2023/WD-webauthn-3-20230927/#dom-publickeycredential-authenticatorattachment) attribute.


>2. It would be nice if this information was provided to the RP in a consistent way, and ideally in a way that the RP is likely to save by default (i.e. not purely in an extension).

Not really addressed. Perhaps L4 could move `credProps.rk` to a property on `AuthenticatorAttestationResponse`, like `getTransports()`, but on the other hand that would also just mean there's yet another place the RP needs to look for this information.


>3. It would be nice if all three properties were attested by the authenticator. I recognize this is probably a stretch.

Not addressed. I personally don't think these properties are important enough to be worth this effort.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1567#issuecomment-2372474531 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 24 September 2024 22:09:50 UTC