Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

navigator.credentials.get() option to suppress chrome UI popup if allowCredentials is not present in the authenticator #74

Closed
kmlhossen opened this issue Jun 26, 2019 · 2 comments
Closed

navigator.credentials.get() option to suppress chrome UI popup if allowCredentials is not present in the authenticator #74

kmlhossen opened this issue Jun 26, 2019 · 2 comments

Comments

@kmlhossen
Copy link

kmlhossen commented Jun 26, 2019
edited

I was trying in the chrome with mac inbuilt fingerprint scanner (platform authenticator only) and wondering what will be the solution of the following use case for a relying party

  1. Let's say user registered webauthn in device A with the relying party R.
    Authentication flow is like this, the user comes to the relying party R input username and clicks next, relying party pulls the previously registered credential Ids for the user to create allowCredentials and query the authenticator for authentication. All goes fine as authenticator has one of those allowCredentials associated private key

  2. But let's say the same user goes to the device B not registered before and tries to login with the same relying party R by putting username and clicking next. This time again the relying party pulls over the registered credential Ids for the user to create allowCredentials and query the authenticator for authentication. But this time as the device B does not have any associated private key it shows an error popup window in chrome.

Is there any way we can pass any option to the navigator.credentials.get call so that if the associated private key is not present for the given allowCredentials we can just stop the webauthn flow by catching some error.

This will help to fall back to some other authentication method without showing the error popup window and ask the user later to register device B after successful login with other authentication methods.
@cpiper
Copy link
Member

cpiper commented Jul 1, 2019

Hi, this would require a change to Chromium (and potentially the WebAuthn specification if adding a new field to the credentials.get call), rather than this github repo. If you file a request at https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EWebAuthentication or https://github.com/w3c/webauthn more information could probably be provided.

In general, for privacy reasons the WebAuthn API tries to avoid responding to any request until a response is received from an authenticator. This is to avoid giving additional information about a user attempting login to the relying party.

@cpiper cpiper closed this as completed Jul 1, 2019
@kmlhossen
Copy link
Author

Thanks for the information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kmlhossen @cpiper