[webauthn] Cleanup when creating discoverable credentials with attestations (#1560)

dwaite has just created a new issue for https://github.com/w3c/webauthn:

== Cleanup when creating discoverable credentials with attestations ==
When a relying party wishes to use attestations, the flow is one where the site presents the UX on what is acceptable, the user gestures an authenticator to create a credential, and then the site verifies the attestation, possibly showing an error ("no we're serious, use that authenticator we mailed you").

However, on this attestation failure the user will continue to have the 'orphaned' credential on an authenticator, potentially presented to them as a valid option in a selector. The credential record itself does not contain information needed to disambiguate which credential is the correct one, which could potentially make use of a credential management UX into a game of Russian roulette.

This could also potentially happen multiple times on a single unacceptable authenticator if credential creation happens during a registration process. The user (not understanding the correct response to a site-given error) may try different browsers or clearing their history to troubleshoot the issue. The user likely doesn't have a user handle value yet (as they do not have an account), and authenticators are allowed to store multiple credentials per (user handle, rpid).

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1560 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 4 February 2021 09:23:56 UTC