This PR adds initial support for WebAuthn L3's new "conditional create" to @simplewebauthn/browserstartRegistration() as a new useAutoRegister option.
Automatic registration/conditional creation is intended to streamline passkey adoption by allowing the browser to work with a user's password manager (which must also be a passkey provider) after a successful login to register a passkey for that site. Most of the heavy lifting happens between the browser and the provider; the relying party calls startRegistration({...}) and waits for a response back (very similar to using browser autofill with startAuthentication({...}).) If startRegistration() resolves with a response then the RP can verify it as usual and store a passkey for the user, ostensibly to prompt the user to do passkey auth on next login.
Speaking of verification, the PR also updates @simplewebauthn/server's verifyRegistrationResponse() with a new requireUserPresence option that can be set to false when verifying automatic registration responses (it defaults to true.) It will often be the case during auto registration that the up (User Presence) flag will be false, a first for WebAuthn. This new option will allow RP's to support conditionally verifying these types of responses.
This PR adds initial support for WebAuthn L3's new "conditional create" to @simplewebauthn/browser
startRegistration()as a newuseAutoRegisteroption.Automatic registration/conditional creation is intended to streamline passkey adoption by allowing the browser to work with a user's password manager (which must also be a passkey provider) after a successful login to register a passkey for that site. Most of the heavy lifting happens between the browser and the provider; the relying party calls
startRegistration({...})and waits for a response back (very similar to using browser autofill withstartAuthentication({...}).) IfstartRegistration()resolves with a response then the RP can verify it as usual and store a passkey for the user, ostensibly to prompt the user to do passkey auth on next login.Guidance on the proper use of
useAutoRegisterwill be documented on the SimpleWebAuthn docs site (https://github.com/MasterKale/SimpleWebAuthn-homepage/issues/50)Speaking of verification, the PR also updates @simplewebauthn/server's
verifyRegistrationResponse()with a newrequireUserPresenceoption that can be set tofalsewhen verifying automatic registration responses (it defaults totrue.) It will often be the case during auto registration that theup(User Presence) flag will befalse, a first for WebAuthn. This new option will allow RP's to support conditionally verifying these types of responses.Fixes #582.