WebAuthn Working Group Bi-Weekly

14 June 2023


AckshayKumar, AndersAberg, DavidTurner, EmilLundberg, JamesZhang, JasonCai, JohnBradley, JohnPascoe, MikeJones, ShaneWeeden, TimCappalli
tying to understand how much information we wish to disclose in these methods
Nick Steele, steele

Meeting minutes

PR Discussion

Discussing w3c/webauthn#1901

Tim framing the problem: The current developer guidance to relying parties for whether they can offer passkeys to users is to call isUVPAA() and isConditionalMediationAvailable(). One returns a boolean, the other a promise. This is already complex . This also doesn't tell the whole story.

Shane: These two methods both return a boolean now

John: What do browsers think about this? Is this going to be gated across Firefox and other platforms? Is this going to be a dynamic value? how can isPasskeyPlatformAuthenticatorAvailable() be changed by the platform and client?

Tim: User should be able to remediate

MattM: This could be difficult for an RP, where we might want to provide steps for remediation

Tim: Anything a user can fix on their own will be prompted by the client device

MattM: we haven't seen this out in the wild all the time. ex: Chrome asks to enable bluetooth only once, but if disallowed, there is no further prompt and remediation becomes difficult

Tim: There's a layering problem here where we decide what remediation should be handled where

Nick Steele: this might not be able to pick up platform providers

Tim C: If you're ( a third party provider) intercepting the request (which all are right now) then you should be able to pick up and respond

John: The other way to frame this would be something like isCTAP2RoamingAuthenticatorSupported()

Tim: this doesn't work in a firefox case

Discussion around what types of providers and authenticators would be available to respond true/false to the proposed method

Discussion around scenarios where a platform passkey authenticator may not be available but there is a synced passkey available

MattM: Cisco currently struggling with
… webviews that say WebAuthn API are available but error out upon request

Discussion around legacy browsers and webviews where they might be unable to access this information or even make use of passkeys

John: So this may help people when presented with Web Kiosks or versions of Linux that may have versions of CTAP2

Tim agrees this is helpful for public terminal / personal devices flows

MattM: Would we be able to concat isUVPAA and isHybrid into a single call?

Tim: separate PR drafted

MattM: Does this clash with the Hinting proposal posed at the F2F?

Ackshay: diff issue

MattM: there is overlap here

Tim: there are hints provided here

MattM: figuring out how much conflict there is here btwn the two methods

Tim: Emil had many good comments, to respond to them in bulk: 'I agree, but some of this should be a diff PR'

Tim: Well Firefox had a method along the lines of CTAP2withClientPin() that was fairly valuable, could be worth including, there's two separate sets of verbosity here

Tim: This value is true/false but discloses just as much as isUVPAA()

some disagreement

John et al.: could give one more bit of info than UVPAA

Emil: I have some issue with how the term/spec defines Platform Authenticator

Nick Stele: existing issue in the repo for better defining the current state of Platform Authenticator

Trying to gain consensus on the name and coverage of the method

JohnPascoe: I don't think there's any older platforms [for Apple] that wouldn't be able to support passkeys

Chair tabling discussion on call to move to other open issues




Tim: Waiting on more reviews

ACTION: Adam and John to review w3c/webauthn#1893


ACTION: Adam and John to review w3c/webauthn#1891 NOT w3c/webauthn#1893


MattM Merged

Chair moves to triage open PRs and issues

Discussion around what we want to add before finishing level 3

Discussion around what would occur after working group disbandment

W3C Errata discussion

Summary of action items

  1. Adam and John to review w3c/webauthn#1893
  2. Adam and John to review w3c/webauthn#1891 NOT w3c/webauthn#1893
Minutes manually created (not a transcript), formatted by scribe.perl version 210 (Wed Jan 11 19:21:32 2023 UTC).


No scribenick or scribe found. Guessed: steele

Maybe present: Ackshay, Emil, John, MattM, Shane, Tim

All speakers: Ackshay, Emil, John, JohnPascoe, MattM, Shane, Tim

Active on IRC: soba, steele