Add a hints element for both create and get.
#1884
Conversation
As discussed at the face-to-face meeting of the working group on 2023-04-21, this change adds a `hints` element to both sets of options in order to allow sites to guide user agents in how best to complete the request.
|
Why not leveraging authenticatorSelection with authenticatorAttachment? The |
Adding a new attachment would break existing user-agents. We could work around that with a feature-detection system but then we would still have the issue that authenticatorSelection only exists for create(). For discoverable get() there wouldn't be any corresponding mechanism. |
That would be a bug in that user-agent then, because any rp could fill them with unknown values today and cause issues. So I think authenticator attachment still seems like a better place for this. It's a bit of a concern that we are adding a third area for authentication selection, given that we already have transports and attachament selectors. So I think the bigger risk is for there to be inconsistent and odd behaviours if you specify multiple or combinations of these parameters. |
|
There is a open issue (#1267) related to the authenticator selection for |
|
I like the idea to have a property where a rp can put generic hints for the user interface. And not limit it in any way to selection of the authenticator. I would vote for two additional hints:
Furthermore it would be nice as browser to have the ability to specify custom hints which are not defined (yet) in the spec. That would provide the opportunity to adopt quickly and later (if it makes sense) integrate them into the spec. As far as I know same mechanism is used in CSS specification. Then it is necessary to specify a pattern for browser specific prefixes (e.g. |
Both of these are already accommodated with a combination of the two options in this PR and authenticator attachment |
A WebAuthn level one implementation can reject any unknown values for authenticatorAttachment. A level two implementation should ignore unknown values. But my point is that, as an RP, you can't start using new values of authenticatorAttachment without knowing that the user-agent supports them, lest your attachment preference becomes completely ignored. That's one of the things that this proposal is trying to address: by having a list of strings we can define new hints in the future without RPs needing to worry that adding them will break older user agents.
I agree, but I think the direction that we should head in is to move away from the current authenticatorSelection and transport hints. The platform/cross-platform values were intended to express whether a credential was desired for local reauth or for signing in. And the transport hints were intended to guide the UI between prompting for a security key or not. But both are getting quite awkward: People took "cross-platform" to mean "security key", but now it means phones too and doesn't even mean "not platform" any more: if the platform authenticator is syncing to a phone then it's a candidate for attachment=cross-platform. Likewise, attachment=platform can get you a credential that you can use on another machine (e.g. making a credential on a hybrid-capable phone). Transports are stressed by the fact that authenticators can gain transports now—they're not fixed-function. Lots of credentials with transports=["internal"] became effectively ["internal", "hybrid"] when we updated Android, but of course weren't actually updated. So, overall, my thoughts are that:
|
Co-authored-by: Emil Lundberg <emil@yubico.com>
@agl You mean that at some point the authenticatorAttachment and transport hints are retired? Is it better to define more specific hints? e.g., platform, security-key, hybrid |
Does that apply to both create() and get() in your mind? I ask because we're rethinking that UI in Chrome for the get() case. (And I assume that you've some familiarity since you're using the Chromium terminology.)
Are you thinking that this always shows a QR code, even if the user has a linked phone? Or is it more generally suggesting using a phone? The latter is what I was getting at with |
Potentially. Or at least sites often stop populating them. (Many sites have never supported transport hints.)
I was aiming at defining the general interface first but perhaps that's just obscuring things. Have added these in the latest update. |
I would see this feature definitely in create(). get() is working fine if it uses the last used option (if possible and makes sense). No need to start always at the very beginning with the selection. It should be as quick as possible, because we use get() a lot more than create().
I like the "smartphone" approach (technically the enum value could maybe more generic like DeviceWithBLEAndCamera?). An reasonable implementation could be that the UI shows the list of registered devices (phones, tablets, ...) and offers a button "Use different phone or tablet". |
Yeah, I'd certainly agree here - as an enterprise it's currently impossible to really filter authenticators ahead of time with registration with the current fields. And as you correctly note, the lines are certainly becoming blurred with cable and phones as platform authenticators, that also can be cross platform. If we are proceeding in this way, would it also be worth future consideration to deprecate the "transports/attachment" parameters or to add elements in the spec since they are quite confusing and often not always correct? |
|
For the record, in general we've been fine with how browsers handle authentication when we return My higher-level requirement has been centered around the desire to individually trigger browsers' "security key" and "hybrid" flows so that we could show corresponding verbiage shown beforehand. The verbiage would help users understand what the browser will ask of them since some aspects of passkeys registration are still relatively new. If I'm understanding this correctly, the intent of {
// ...
authenticatorSelection: {
authenticatorAttachment: 'cross-platform'
},
hints: ['non-security-key'],
}
What about |
For enterprise, we'll need the opposite - to completely deny smartphones and hybrid due to the fact these platforms are unattested and third party backed. We'll need a way to limit to only tpm's and fido2 security key devices (generally, things that have aaguids). This is why in the past we've requested that during registration we can send a list of aaguids as a filter for "these are the only devices acceptable under our policy, so only proceed with them". |
|
As far as I understand, the |
|
Yes, I know they are hints, but they are still hints that would improve enterprise workflows in most cases by not proceeding with devices that are unable to succeed. |
|
Thinking out loud about potential string values for 🤔 |
|
(Notes from the call of 2023-05-17: I should update to include three values: security-key, local-device, and hybrid. Should document expected values of attachment for those cases and define that attachment (and transports?) are ignored when hints are given.) |
index.bs
Outdated
| :: Indicates that the [=[RP]=] believes that users will satisfy this request with a physical security key. For example, an enterprise [=[RP]=] may set this hint if they have issued security keys to their employees and will only accept those [=authenticators=] for [=registration ceremony|registration=] and [=authentication ceremony|authentication=]. For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/cross-platform}}. | ||
|
|
||
| : <dfn>local-device</dfn> | ||
| :: Indicates that the [=[RP]=] believes that users will satisfy this request with a [=platform authenticator=]. For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/platform}}. |
There was a problem hiding this comment.
...users will satisfy this request with a [=platform authenticator=]
I think this would benefit from something explicitly tying this option to the "locally available" platform authenticator, the same device as the device the user is logging into. For me the ambiguity comes from the fact that hybrid implies use of a platform authenticator, but of course on a separate device than the access device the user is actually using.
There was a problem hiding this comment.
hybrid doesn't preclude security key on a remote device over cable though. We already have this working via webauthn-rs. hybrid just means "caBLE" here.
I'd say platform authenticator is reasonable here since to me it implies "same device" but perhaps "device bound authenticator" is clearer.
Since hybrid allows remote platform authenticators to be used, the previous wording was potentially ambiguous.
| <div dfn-type="enum-value" dfn-for="PublicKeyCredentialHints"> | ||
| [=[WRPS]=] may use this enumeration to communicate hints to the user-agent about how a request may be best completed. These hints are not requirements, and do not bind the user-agent, but may guide it in providing the best experience by using contextual information that the [=[RP]=] has about the request. Hints are provided in order of decreasing preference so, if two hints are contradictory, the first one controls. Hints may also overlap: if a more-specific hint is defined a [=[RP]=] may still wish to send less specific ones for user-agents that may not recognise the more specific one. In this case the most specific hint should be sent before the less-specific ones. | ||
|
|
||
| Hints MAY contradict information contained in credential {{PublicKeyCredentialDescriptor/transports}} and {{AuthenticatorSelectionCriteria/authenticatorAttachment}}. When this occurs, the hints take precedence. (Note that {{PublicKeyCredentialDescriptor/transports}} values are not provided when using [=discoverable credentials=], leaving hints as the only avenue for expressing some aspects of such a request.) |
There was a problem hiding this comment.
...Note that {{PublicKeyCredentialDescriptor/transports}} values are not provided when using [=discoverable credentials=]
Might this statement need a qualification that we're talking about usernameless authentication here, with an empty allowCredentials? Because passwordless authentication, that identifies the user beforehand (e.g. SSO account discovery precluding WebAuthn use) can definitely use discoverable credentials with transports by populating allowCredentials like normal.
index.bs
Outdated
| : <dfn>security-key</dfn> | ||
| :: Indicates that the [=[RP]=] believes that users will satisfy this request with a physical security key. For example, an enterprise [=[RP]=] may set this hint if they have issued security keys to their employees and will only accept those [=authenticators=] for [=registration ceremony|registration=] and [=authentication ceremony|authentication=]. For compatibility with older user agents, when this hint is used in {{PublicKeyCredentialCreationOptions}}, the {{AuthenticatorSelectionCriteria/authenticatorAttachment}} SHOULD be set to {{AuthenticatorAttachment/cross-platform}}. | ||
|
|
||
| : <dfn>local-device</dfn> |
There was a problem hiding this comment.
client-device, not local device.
|
As per the WAWG meeting on 7/12 this is okay to be merged before the next meeting when it's ready. |
|
From call of 2023-07-12: ok to land if Akshay and Emil are happy. |
I missed, when looking that the spec has a definition for "client device" already. Based on discussions in the WG, we want to use the already-defined term rather than invent a new alias.
Co-authored-by: Emil Lundberg <emil@yubico.com>
|
From call of 2023-08-16: good to merge. |
SHA: 410d0f7 Reason: push, by agl Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
As discussed at the face-to-face meeting of the working group on 2023-04-21, this change adds a
hintselement to both sets of options in order to allow sites to guide user agents in how best to complete the request.Preview | Diff