How to declare that a registration only awaits for a Security Key?

[justnotherdev]

Hi, I had this question and search everywhere without being able to find a solution. I want to set that when I invoke the navigation.credentials.create() method it prompts me to insert a security key directly, not to choose an authentication method.

What I want to achieve:

What I get:

I know that in the case of navigator.credentials.get() I can set the transports property (usb and nfc) on allowCredentials and It would show me directly the insert your security key option. But couldn't find the way to do that with registration.

I know that must be a way because Google does exactly that. The first screenshot is from an attempt to register a security key to my google account, but I debug the client-side to see if they were passing any weird stuff to the navigator.credentials.create() but not.

Thanks in advance for any kind of insight you could have.

[Firstyear]

@justnotherdev This was raised here #1716 and the WG has chosen to ignore this use case from RP's.

[justnotherdev]

Hi @Firstyear thanks for ur response. Yeah I read your proposal and I completely agree. Should be a consistent behavior between attestation and assertion.

But what I want to know is if currently there's any workaround or something that may achieve this for registration.

As I comment earlier, Google seems to achieve that on his webauthn call to navigator.credentials.create. It always show "enter your security key". I would like to know if anyone here has some kind of workaround (I don't know, maybe set some property for navigator object) for that.

Hope somebody on the team make a further review on your proposal. A way to declare what auth method is been use (either a hint or a restriction) would be very helpful

[Firstyear]

Sadly there are no work arounds :(

You can enforce it's only a security key in the registration by forcing attestation and consulting the aaguid with a list of known authenticators, and then throw an error if it's not, but otherwise, there is no way to achieve this.

Hope somebody on the team make a further review on your proposal.

They won't :)

[emlun]

See also: #1688

[timcappalli]

Please use fido-dev@fidoalliance.org (register here: https://groups.google.com/a/fidoalliance.org/g/fido-dev) for implementation discussions. This repo is for the WebAuthn specification itself.

[nicksteele]

This has been covered a few times now, I'd like to reiterate @timcappalli's advice above and issue #1688, where @emlun outlines sentiment on the topic

I can't make this much clearer but this is not something will benefit adoption, constraining user options for authenticator registration is a rocky user experience. It is better for the RP to handle determining the authenticator upon attempted registration.