Add a method to determine whether external CTAP2 security keys are supported

[jcjones]

In Mozilla's bug 1526023, we added a non-standard WebIDL method to PublicKeyCredential:

static Promise<boolean> isExternalCTAP2SecurityKeySupported();

We did this to avoid worse fingerprinting of Firefox CTAP2 support via user agent sniffing. The details are available in the bug.

I dislike adding fingerprinting surface, but the alternative for this situation was for RPs to have knowledge that Firefox 66 on Windows 10 build ${buildnumber} to have CTAP2 support, and others do not.

Perhaps this is something the WG should consider adding to the spec.

[jcjones]

In argument to not adding this to the spec, it's a transitory thing: Firefox, for example, will eventually return a promise that resolves true every time, once we have support for CTAP2 on all platforms.

[sbweeden]

I'd really like to see this be a "user-agent webauthn capabilities" api, which covers more than just CTAP2, but also "pin support", plus potentially other things that allow the RP developer to provide a superior user experience during registration.

[nadalin]

Per 03/07/19 F2F Close no action