search

w3c / webauthn

Web Authentication: An API for accessing Public Key Credentials
https://w3c.github.io/webauthn/
Other
1.16k stars 166 forks source link

clarify "authenticator model": RPs may perform feature-based authenticator selection #645

Closed equalsJeffH closed 6 years ago

equalsJeffH commented 6 years ago

clarify "authenticator model": RPs may perform feature-based authenticator selection with both

  1. navigator.credentials.create() (which invokes webauthn's #createCredential), and
  2. navigator.credentials.get() (which invokes webauthn's #getAssertion).

In (1), options stipulating "require resident key" and "require user verification" are expected to be passed (see also #536, #524), e.g., ultimately to CTAP's authenticatorMakeCredential command.

In (2), options stipulating "require user verification", "require user presence test" are expected to be passed (see also #629, #524), e.g., ultimately to CTAP's authenticatorGetAssertion command.

emlun commented 6 years ago

In (2), options stipulating "require user verification", "require user presence test" are expected to be passed

Current language specifies to always perform a user presence test (unless user verification is performed), so the latter option does not currently exist (as discussed in https://github.com/w3c/webauthn/issues/629#issuecomment-336574658).

selfissued commented 6 years ago

This is not actionable without a PR. @equalsJeffH - do you plan to create one soon - ideally during this week's FIDO plenary?

equalsJeffH commented 6 years ago

yes i plan to "create one soon" but meeting(s) I'm participating in have priority.

equalsJeffH commented 6 years ago

fixed by PR #782