-
Notifications
You must be signed in to change notification settings - Fork 39
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How do RPs determine when to enroll the user? #124
Comments
Relates also to issue #98 |
This should work:
|
I would consider that a poor experience for a user who is already enrolled on this device, but whom declined SPC authentication during the current transaction (for whatever reason, maybe they cut their finger and their fingerprint reader isn't working). |
The relevant section of the WebAuthn spec, which SPC (deliberately) inherits its behavior here from is Authentication Ceremony Privacy:
Note that SPC makes the attack more serious, as it opens it up to any malicious site that has obtained credentials from the Relying Party (legitimately or otherwise). |
I just realized that I addressed Ian's 3rd bullet point while thinking about 1st time users without credentials on file with the RP. Please ignore my comment! |
Thinking about this some more, this flow seems sensible:
The possibility of opting out is not necessary, but can be a nice touch for some users. |
The current state of the art in WebAuthn is to use a cookie to track registration status for a given user+device:
This works 'ok' for WebAuthn, though developers have still complained that things like users clearing cookies breaks their WebAuthn flows. For SPC, using a cookie works less well:
To combat the general issue of 'how do I know the user has a credential' at auth-time, WebAuthn have suggested a semi-passive model (Conditional UI):
Websites are meant to handle step 5 by having alternate ways for the user to sign in, e.g. username/password. The Conditional UI approach is interesting but does not immediately apply to payments I think, nor to the enrollment question. (E.g. if the user logs in with username/password in the above example... do you offer to enroll them now?) |
This was discussed at the joint meeting today at TPAC with WPWG, WPSIG, WebAuthn, and Antifraud CG. It seems that the Web Authentication Adoption CG intends to publish some materials to help RPs know when to enroll the user. I understand they will describe a number of enrollment opportunities (including, e.g., when the device could support enrollment and the user has just elected to log in with a password). I'll keep this open for now, but we should monitor progress in the adoption CG. |
Here's the challenge:
The text was updated successfully, but these errors were encountered: