New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authenticators that do not recognize any handles shouldn't just be dropped on the floor #863
Comments
This issue stands in opposition to issue #867. update by @equalsJeffH: related to this are user experience (UX) use cases, see issue #334 |
I'm not sure this would make for the best user experience. I agree that it's valuable to be able to inform the user that an authenticator doesn't have any applicable credentials, but could that be done by the browser instead of the RP? In https://bugs.chromium.org/p/chromium/issues/detail?id=828567 you say:
If the browser has this knowledge, why not present that to the user directly? As pointed out in #867, it would likely make for a confusing and frustrating user experience if multiple authenticators light up when only one of them can generate a valid response. I imagine it could look something like this:
Would that work? |
@emlun wrote:
I wonder whether the browser folk are reticent to directly provide UX of this sort because of the desires for RPs to have fine-grained control over such UX (as has been argued as the reason the UA-provided HTTP authentication dialogs are hardly ever employed) ? Hm, also, if not the UA handling the UX, the RP's client-side JS could handle all this authnr-selection interaction, without necessarily incurring the latency of comms with the server, yes? |
For the record, I think that consistency with CTAP2 isn't really necessary in this case. CTAP2 specifies a 1-to-1 client-to-authenticator interaction while WebAuthn specifies a 1-to-many client-to-authenticator interaction, so I think it makes sense to handle the case differently on the two levels.
Good point. My concern with the solution proposed here is how it would interact with combinations of multiple authenticators. Multiple blinking USB dongles is one thing, and likely a minority use case, that might be a little annoying but probably quite harmless - but what about platform authenticators? If this would mean that USB dongles would light up and an OS popup would appear on every authentication even if the platform authenticator isn't eligible, I suspect that might be more disorienting than helpful. All of this is speculation, though - I'd be happy to re-evaluate my position if there are any user studies (of any size) on this. And then again there's the UX customization issue which could hurt adoption. I don't really feel qualified to tell which is the lesser evil... |
Yes, but what I'm more worried about is friction in the user interaction - having to start the ceremony all over after it seems like you're done, instead of being nudged to plug in a different authenticator. |
Sorry for going AWOL, wanted to double-check some facts with folks first before making a bunch of assertions :-) Jeff largely has it right with regards to not wanting to do all the UX in the browser. It's also difficult to build functioning RPs if we don't respond to certain calls.
Regarding platform authenticators, Chrome does intend to have a dialog to notify the user (and not call down to the platform authenticator, so as to prevent OS popups), after which Chrome will return to the RP. For what it's worth, we have empirical evidence from our rollout of security keys at Google (using the cryptotoken extension) where we got lots of bug reports saying their 'keys didn't work' when in fact they weren't registered. When cryptotoken changed to make them blink, the complaints stopped (rigorous user study, right??). |
It's definitely better than my pure speculation, at least. 😄
I don't quite understand what you mean by that - notify the user about what? In the scenario where a laptop has a platform authenticator built in and |
Yeah, I wasn't clear. If Otherwise, both RP and user would just sit there for the entire timeout with blank looks of confusion. |
Ok. What I meant to ask was if a) the laptop had a platform authenticator and then what would Chrome do? |
So, to be honest, today, there's no good way in WebAuthn for an RP to indicate that they "definitely only want to deal with platform authenticators" when doing a "get" (or sign). I believe this might be a bit of a drawback for RPs who really don't want to bother users with external devices, but let's plan on discussing that in more detail in Amsterdam. Let's assume for a moment the RP has a way to say "I definitely want a platform authenticator" and say so. In that case, Chrome will present a dialog to the user saying "there are no keys here" and then will notify the RP upon dismissal of the box. If the RP doesn't specify a preference (or says that the key might explicitly be on a roaming authenticator) I think we should tell the user to insert a key. If the user is confused by the dialog and closes it, tell the RP that there's no credential here. Does that make sense? |
Yes, that makes sense to me. @kpaulh's assertion about empirical results had me mostly convinced, but I was curious about what the introduction of platform credentials would mean for this. That said, the 2018-04-25 WG call decided to not take this on until L2. I'm not sure what that means for whether or not Chrome's behaviour as described here will be conformant with the L1 spec.
My thoughts on this:
1: The RP can check 2: Alternatively, the RP can just do the |
@kpaulh to create PR |
Coming back to this...
I suppose Chrome at that time didn't have a popup telling the user that the connected authenticator isn't registered? Would such a dialog eliminate the need for user action on the authenticator? |
Yeah, with UI, we probably don't need this. |
shud we punt this to WD-02 ? |
Punt or drop. With a browser dialog I don't think requiring an authenticator touch really makes sense. |
punt to WD-02 |
@equalsJeffH @kpaulh Please review |
The issue has been resolved as far as Google and Microsoft are concerned now that Chrome has retry UI. My only lingering question is how Mozilla plans to handle this case without UI, and if the wording in the spec should allow for both a) UI that tells the user to try a different key or b) in the absence of UI, require a touch before returning anything to the RP. |
Mozilla will eventually have a similar UI, but that might be a while. Nevertheless, perhaps this can be closed, then. |
this would be UI materialized by the client platform, not the RP ? |
@equalsJeffH right, UI in the browser that can silently query authenticators without making them blink. But if J.C. is satisfied for now, I'd say we can close this. |
Context from the sister issue raised in the CTAP2 spec: fido-2-specs/issues/509:
"When a privacy-conscious client collects assertions, it does not reveal immediately to an RP that no authenticator recognized any of the identifiers in the allow list. Doing so would allow malicious RPs to test for the presence of authenticators using only a credential id.
In Chrome, both in U2F and WebAuthn, we handle this by making plugged in USB authenticators blink until the user selects one of them (and thereby gives consent to reveal its presence). At that point we return an error indicating that no key handle was recognized."
We had been doing this in the cryptoken extension as well. However, the WebAuthN spec, in 6.2.3.2, states that if no credentials are present on that authenticator,
"return an error code equivalent to "NotAllowedError" and terminate the operation."
(Effectively, drop the device on the floor and waiting for other hotplugged devices.)
To be consistent with CTAP2, we think we should send the authenticator one of the keyhandles so that it blinks, and if the user selects that authenticator by giving it a tap, then return "InvalidStateError" to indicate the user tried to use a device that wasn't actually registered.
(Similar to how the spec handles user consent for already-registered authenticators in 6.2.2.3)
The text was updated successfully, but these errors were encountered: