Is it possible for a user to downgrade a credential creation request?

[samuelweiler]

During TPAC, we observed that SPC-capable credentials can also be used for login. I speculated about the possibility of not-payment sites attempting to create SPC-capable credentials for the purpose of getting around storage partitioning. While that could make for some lovely UX studies, there might also be an action for the WPWG:

Is it possible for a user to downgrade a credential creation request from SPC-capable (cross-origin) to login-only (single-origin)? If not, what changes do we need to make in the protcol to be able to present that option to the user (or for the user to be able to configure their UA to default to that choice)?

[ianbjacobs]

Here's an update in advance of the May WPWG meeting: 1) The WPWG has drafted a proposal [1] for a bit that an RP could set in a credential to indicate it is ok to use cross-origin with SPC. We are raising this directly with FIDO as it affects CTAP. 2) At our May WPWG meeting, we will discuss this with the Web Authentication WG and include in the discussion your point about whether there needs to be UX allowing the user to consent to the cross-origin capability at creation time.

We will leave this issue open as those conversations play out.

[1] https://github.com/w3c/webauthn/issues/1667#issuecomment-1060941206

[samuelweiler]

Per discussion on the 6 Apr 2023 PING call, I understand that using an SPC credential in a cross-origin context can only happen during payment flows. It is not possible to use an SPC credential for routine authentication cross-origin. Given that understanding, I'm downgrading this issue from -needs-resolution