Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide API for indicating whether the platform has attached(bound) authenticator or not #1218

Closed
Kieun opened this issue May 15, 2019 · 4 comments
Closed

Provide API for indicating whether the platform has attached(bound) authenticator or not #1218

Kieun opened this issue May 15, 2019 · 4 comments
Labels
subtype:FeatureProposal type:technical
Milestone
L2-WD-02

Comments

@Kieun
Copy link
Member

Kieun commented May 15, 2019
edited by equalsJeffH

WebAuthn API has isUVPAA() for RP to check whether the current user device has available platform authenticator.
This API may return true if the following conditions are met:

  1. The platform provides or has attached (bound) WebAuthn authenticators
  2. The authenticator is enabled (feature turned on) and user verification method (like PIN or biometrics) is enrolled on the authenticator if it supports uv.

Sometime RP wants to promote WebAuthn even in case where the user has platform authenticator but it is not enabled.
If there is such API, RPs are willing to check and show some guides for users to enable the authenticator depending on the policy.

I'm not sure how much of the users' devices do have the platform authenticator but not enabled for Android/Win10.
@jafisher-microsoft jafisher-microsoft mentioned this issue May 15, 2019
Closed
@equalsJeffH
Copy link
Contributor

equalsJeffH commented May 16, 2019
edited

(a) The authenticator is enabled (feature turned on) and (b) user verification method (like PIN or biometrics) is enrolled on the authenticator (c) if it supports uv.

Well, given the description of the isUserVerifyingPlatformAuthenticatorAvailable() Method (isUVPAA()) it is client platform-specific as to (a) and (b). The intent of that method is to answer the (c) question.

You are arguing that isUVPAA() ought to be more rigorously specified wrt (a) and (b)? I'm not sure whether that would be viewed as reasonable by client platform implementors.

@Kieun
Copy link
Member Author

Kieun commented May 17, 2019

@equalsJeffH Just returning true/false to RP is not sufficient to handle UVPAA. As @jafisher-microsoft suggested, we would get more information. This is also good for platform vendors since they are able to get more chances to enable such new features.
Currently, Win10 and Android does not return true even it has supported authenticator on the platform if it is not enabled.

@emlun emlun added this to the L2-WD-02 milestone Jun 19, 2019
@emlun
Copy link
Member

emlun commented Jun 19, 2019

PR #1219 no longer covers this.

@equalsJeffH
Copy link
Contributor

UA implementors are uncomfortable with adding a feature such as this as noted above #1218 (comment), closing this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
subtype:FeatureProposal type:technical
Projects
None yet
Milestone
L2-WD-02
Development

Successfully merging a pull request may close this issue.

Browser capability detection. w3c/webauthn
3 participants
@equalsJeffH @emlun @Kieun