Comments (7)
For local platform, it makes sense to return immediately because there is no other option. For external security keys, user may want to user another security key, but plugged in another key because maybe they all look alike, or user accidently inserted an already created one. We try to strive for the user to succeed.
from webauthn.
Right, that is the logic for the current implementations, but it is only controlled by the authenticatorAttachment preference in the request. So this applies to requests where the user might do hybrid now as well. Hybrid flows are high touch, and it is unlikely that the user has alternative phones etc. to satisfy the request. So I don't think that "Try again?" logic is helpful for those users.
In comparison to those cases, we expect SK usage, and in particular users with multiple SKs to be rare. And the RP can equally help the user enter a try-again flow if they want as well.
So I think currently this behavior is not helping users overall.
Note that my motivation for the proposal is also because I think we should strive for the user to succeed. Unfortunately the browser must fall back to very generic language in these prompts and we've seen them be unhelpful more than we've seen them be helpful.
from webauthn.
However this thing goes I'd like to emphasize how useful it is as an RP to get ISE on an excludeCredentials
collision, and hope that if the browser and/or platform continue to own the WebAuthn experience that an ISE continues to get returned even if a user clicks Cancel on a, "sorry, you already registered that" message that the browser/platform displays. Otherwise all that RP's would be left with is the signal indicating the user canceled out of the ceremony with no idea that it was because the authenticator was already registered.
from webauthn.
I think I agree with @MasterKale. I would put the ask as:
- If the user cancels out of the ceremony, and at no point during that ceremony the user attempted to use an authenticator that matched
excludeCredentials
, then returnNotAllowedError
. - If the user cancels out of the ceremony, but at some point during that ceremony the user attempted to use an authenticator that matched
excludeCredentials
(even if the user afterwards clicked a retry option and, for example, attempted to use hybrid but failed), then returnInvalidStateError
.
Does that match up with what you're saying, @MasterKale?
(I currently have no opinion on whether the browser should offer a retry option or should always return on first failure.)
from webauthn.
Does that match up with what you're saying, @MasterKale?
Catching up, yes, I think your logic holds up to what I'd like to see happen if this moves forward.
from webauthn.
Sure, that sounds fine with me. But the primary ask in this issue is that if a local credential matches an exclude list entry, and the user performs its UV ceremony (which already should be offered before any external authnr interactions), then immediately return ISE and don't offer to retry with other authenticators.
I'm ok if requests with attachment=cross-platform offer some retry options, but I don't think they should. In general we should try and reduce the already complex branching logic in the common UX.
from webauthn.
(I am on leave until Sept 18 btw so replies from me here will be sporadic. Tony, feel free to reassign if needed, otherwise I can tend to this when I'm back.)
from webauthn.
Related Issues (20)
- [Superset] Updating credential metadata and requesting deletion of stale credentials HOT 19
- Extensions should specify partial dictionaries that modify AuthenticationExtensionsClient{Inputs, Outputs}JSON
- The bike shed build is broken with the newest version
- Provide a way for Web Extensions to hook into browser's Passkey autofill UI HOT 4
- Remove the [SameObject] attribute from PublicKeyCredential::authenticatorAttachment HOT 1
- Are notes in webauthn normative or informative? HOT 1
- Ambiguous instructions in the Android Key Attestation Statement Format verification procedure HOT 6
- Spec is not specific enough about order of conditional UI autofill tokens HOT 1
- create() and get() return an algorithm, not a credential HOT 1
- Virtual Authenticator API does not expose a way to set backup-eligible or backup-status flags HOT 9
- Deprecation warning for fido-u2f, apple, and android-safetynet? HOT 6
- > HOT 1
- Inconsistent Passkey Authentication in Google Chrome HOT 5
- rp.name, user.name and user.displayName length limit does not state binary encoding HOT 2
- How is an RP to know if a packed attestation root certificate is used for multiple authenticator models? HOT 2
- Wrong type of encrypted content specified for credentialId under "Credential Storage Modality" section HOT 1
- Cambios por abuso HOT 2
- Consider replacing "Github" with "GitHub" HOT 2
- Conditional UI support by WebAuthn WebDriver Extension HOT 2
- Refine JSON serialization to use UTF-8 encoding for `user.id` and `userHandle` HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.