Google chrome asking to allow or block request when attestation is "direct"

[chrismccaw]

I am using Chrome and when selecting the attestation type to be "direct" an additional popup appears asking to "Allow" or "Block" my authenticator details. Even though I block the request I can still login. Is this expected?

[aseigler]

Yes, that is totally normal and expected. Chrome, for privacy purposes, offers you the option of not providing your authenticator make/model (aka AAGUID) to the server. The server has the option of not allowing the session if you choose not to provide this detail, but for this demo site purposes, the server does not care. In the real world, your mileage may vary. An enterprise or bank for example might insist on knowing you are using an authenticator from a trusted vendor.

[chrismccaw]

Ah I see. Yeh, I noticed firefox does not present this popup so Chrome is just been transparent about the data being sent.