Meeting minutes
What are requirements when more than one SPC credential matches?
Stephen: Today in the implementation we accept the first credential that matches.
… WebAuthn as a model also views as a decreasing order of pref
… but they expect prompting of the user to pick the first one they like
John_Bradley: authenticators in CTAP will choose the "most recently created credential" of the allow list.
Ian: Is the goal "get one back however that is determined"?
John_Bradley: Nothing in allow list causes a list to be showing in CTAP
… nothing about credential IDs says "This is your blue authenticator"
<Zakim> SameerT, you wanted to say Ian, can you please run through the problem statement/scenario again
Doug: From a 3DS perspective it would be great if credentials were shown and nothing else.
… let's say SPC use case
Stephen: There are two levels: "Multiple authenticators are available" ...may want to ask the user to pick one.
… when credentials are from the same authenticator...the authenticator picks the most recent one.
<Zakim> smcgruer_[EST], you wanted to ask John to clarify behavior in CTAP vs "WebAuthn Authenticator Model" section of WebAuthn
John_Bradley: WebAuthn pretty much always shows you a dialog.
John_Bradley: The platform authenticator will give you list of credentials it has and an option to use a roaming authenticator.l
… lots of innovation in this space
IJ: Summary:
- When multiple authenticators, should user pick one?
- When multiple credential IDs for the same authenticator, implementation detail how one is chosen.
John_Bradley: Authenticator might show a pick list
… platform authenticators typically do a user verification before they present a pick list
smcgruer_[EST]: In case where user has one matching platform, the only issue I see is how the browser/OS presents option to plug in a roaming authenticator
IJ: should we have requirements?
John_Bradley: If there is an allow list you'll get back one (per CTAP). Windows shows a choosers
Ian: Could we just say "it's up to the implementation to get to 1, and it's an implementation detail?"
John_Bradley: What is the expectation about sequencing of uX?
… do you silently probe and then go back and do a get() with one credential id?
Stephen: The latter.
1) Browser receives a list of credential IDs.
2) Can ask (in the future) whether the platform authenticator knows it (Conditional UI)
3) our "no match" dialog could be extended to ask user to plug in roaming authenticator
John_Bradley: As long as we say credentials are created with cred protect levels 0 or 2
… at level 2, you need the credential ID
… at level 0, there's no privacy as long as the rpid is known
… Chrome currently uses cred level 2 for discoverable
… assuming you had, say, a Yubikey, Chrome could iterate over credentials with user presence 0, user verified 0 to determine whether available before user is prompted
… there's also an NFC use case where user needs to do a tap operation then they might need a dialog
… may be ok to only present "roaming" option if there's no platform credential available
Stephen: Good question.
John_Bradley: I think in most cases, you'd proceed with the platform authenticator if the issuer has provisioned it
Stephen: I'd be happy to punt to WebAuthn. The WebAuthn implementation could go ahead to resolve it.
Doug: Great discussion. We do have questions on 3DS side re: UX
… we should allow the RP to create more than one credential (may be done at PAN level rather than identity level)
… could the OS give an option to insert a roaming authenticator, and if the used it, could the assertion fail if there was no credential...would the RP know?
John_Bradley: That could not happen if you are using an allow list
John_Bradley: The list of credential ids doesn't tell you about which authenticator (platform or roaming) or if on this machine or not
JeffH: Doug brings up a key question - the data model.
… the data model needs to get decided
… if I understood correctly, it's whether the issuer is mapping the credentials to accounts or instruments.
John_Bradley: If you have one credential per PAN, where does WEbAuthn get info it will present.
Stephen: We don't do instrument selection; the merchant (and account provider) have chosen the instrument before SPC is called
John_Bradley: The answer to the question is "one response". We may want to clarify "what goes in the user id" and we could help avoid a pick list.
Stephen: At registration time, the RP should "be consistent"
John_Bradley: Yes, the RP should be consistent at registration time, otherwise there might be some UX issue.
ACTION: Ian to follow up with Stephen about next steps.
Next meeting
15 Nov. And we may push SPC topics to 18 Nov WPWG call since we have a lot.