Meeting minutes
PR Discussion
Discussing w3c/
Tim framing the problem: The current developer guidance to relying parties for whether they can offer passkeys to users is to call isUVPAA() and isConditionalMediationAvailable(). One returns a boolean, the other a promise. This is already complex . This also doesn't tell the whole story.
Shane: These two methods both return a boolean now
John: What do browsers think about this? Is this going to be gated across Firefox and other platforms? Is this going to be a dynamic value? how can isPasskeyPlatformAuthenticatorAvailable() be changed by the platform and client?
Tim: User should be able to remediate
MattM: This could be difficult for an RP, where we might want to provide steps for remediation
Tim: Anything a user can fix on their own will be prompted by the client device
MattM: we haven't seen this out in the wild all the time. ex: Chrome asks to enable bluetooth only once, but if disallowed, there is no further prompt and remediation becomes difficult
Tim: There's a layering problem here where we decide what remediation should be handled where
Nick Steele: this might not be able to pick up platform providers
Tim C: If you're ( a third party provider) intercepting the request (which all are right now) then you should be able to pick up and respond
John: The other way to frame this would be something like isCTAP2RoamingAuthenticatorSupported()
Tim: this doesn't work in a firefox case
Discussion around what types of providers and authenticators would be available to respond true/false to the proposed method
Discussion around scenarios where a platform passkey authenticator may not be available but there is a synced passkey available
MattM: Cisco currently struggling with
… webviews that say WebAuthn API are available but error out upon request
Discussion around legacy browsers and webviews where they might be unable to access this information or even make use of passkeys
John: So this may help people when presented with Web Kiosks or versions of Linux that may have versions of CTAP2
Tim agrees this is helpful for public terminal / personal devices flows
MattM: Would we be able to concat isUVPAA and isHybrid into a single call?
Tim: separate PR drafted
MattM: Does this clash with the Hinting proposal posed at the F2F?
Ackshay: diff issue
MattM: there is overlap here
Tim: there are hints provided here
MattM: figuring out how much conflict there is here btwn the two methods
Tim: Emil had many good comments, to respond to them in bulk: 'I agree, but some of this should be a diff PR'
Tim: Well Firefox had a method along the lines of CTAP2withClientPin() that was fairly valuable, could be worth including, there's two separate sets of verbosity here
Tim: This value is true/false but discloses just as much as isUVPAA()
some disagreement
John et al.: could give one more bit of info than UVPAA
Emil: I have some issue with how the term/spec defines Platform Authenticator
Nick Stele: existing issue in the repo for better defining the current state of Platform Authenticator
Trying to gain consensus on the name and coverage of the method
JohnPascoe: I don't think there's any older platforms [for Apple] that wouldn't be able to support passkeys
Chair tabling discussion on call to move to other open issues
Tim: Waiting on more reviews
ACTION: Adam and John to review w3c/
woop
ACTION: Adam and John to review w3c/
MattM Merged
Chair moves to triage open PRs and issues
Discussion around what we want to add before finishing level 3
Discussion around what would occur after working group disbandment
W3C Errata discussion