Closed FlxMgdnz closed 4 months ago
I cannot find registration hints
in the webauthn library. Do they also have another name?
I cannot find
registration hints
in the webauthn library. Do they also have another name?
It's a level 3 feature, but it seems that Google has already implemented hints.
Discussed this with @FreddyDevelop yesterday. We currently see three different use cases for WebAuthn that we should support:
The default passkey use case. The login page offers either a "Sign in with a passkey" button, or passkey autofill, or both. No username entry is required to initialize the passkey flow. Passkey creation happens during user onboarding or on the account setting page for authenticated users.
Preferred
(For high security requirements, Required
may work better https://web.dev/articles/webauthn-user-verification)Required
(the only way to support usernameless first-factor passkeys)Direct
(to support AAGUID-based authenticator naming)Preferred
(same as on registration), result should be checked and made available for RP for risk analysisPrompt for a passkey to reauthenticate a user, e.g. when accessing the account settings page or other high-value features of the RP app.
Preferred
(same as on registration), result should be checked and made available for RP for risk analysisUsually a security key, but Hybrid flow can also be used in current browser implementations, so 2nd factor synced passkeys cannot be prevented without nuking the UX through attestation. It is nice to allow existing passkeys to be used for 2FA as well, but Create() should probably be limited to security keys as 2nd factors as described below.
Discouraged
(to prevent forcing the user to set up a pin for the security key)Cross-Platform
Discouraged
(typical security keys can only store ~25 Discoverable Credentials)Direct
(to support AAGUID-based authenticator naming)Preferred
(same as on registration), result should be checked and made available for RP for risk analysisSo that and https://github.com/teamhanko/passkeys/issues/33 are required to offer these options?
Add config options for
Discouraged
,Preferred
,Required
Platform
,Cross-Platform
Discouraged
,Preferred
,Required
None
,Direct
(not really useful until we add attestation check via MDS to backend)Security Key
,Client Device
,Hybrid
(WebAuthn lvl3 feature, but already implemented in Chrome)