@jyasskin - can you advise here and then assign back to @leshi or unassign?
Given that this is a feature (though my guess is our end decision will just be return error for this method), I am putting on WD-07 milestone.
@equalsJeffH @Nadalin @YubicoDemo for tracking.
The danger with allowing "undefined behavior" or "methods that do nothing now, but will do things in the future" in the spec is the following: People may build libraries/websites that do the right thing now, but will break when we update the API to have behavior where things are currently NOOPs
I'm guessing we should say something.... somewhere.... like preventSilentAccess() will have no effect on authenticators which require a user ceremony, but setting that flag may potentially exclude authenticators which can operate without user intervention.
credentials.preventSilentAccess() sets the origin-wide "prevent silent access flag" to true. That flag defaults to true, but the browser can set it to false if the user says to do so while signing in.
As I recently added to https://w3c.github.io/webauthn/#getAssertion
The get() implementation calls
PublicKeyCredential.[[CollectFromCredentialStore]]()to collect any credentials that should be available without user mediation (roughly, this specification鈥檚 authorization gesture), and if it doesn鈥檛 find exactly one of those, it callsPublicKeyCredential.[[DiscoverFromExternalSource]]()to have the user select a credential source.
If the "prevent silent access flag" is true, then no credentials should be available without user mediation, so get() always falls back to [[DiscoverFromExternalSource]]. This is redundant with the current behavior of WebAuthn, which always returns an empty set from [[CollectFromCredentialStore]]. It does have an effect on passwords today, which return data from [[CollectFromCredentialStore]].
When we add touchless authenticators in L2, WebAuthn will start returning assertions from [[CollectFromCredentialStore]]. At that point, if a library has called preventSilentAccess() to block silent use of passwords, it'll also require the browser to check with the user if they want to use their touchless authenticator.
Is that the right behavior in that case? The user has done something鈥攑robably tap the "sign out" button鈥攚hich indicates they want to be asked before the browser automatically uses their password to sign them in. Do they also want to be asked before the browser automatically uses their touchless authenticator to sign them in? If we think they probably do, then we're in a good place, with at most editorial changes needed to explain this in the spec. If we think they probably don't, then we need to change something.
@jyasskin wrote:
credentials.preventSilentAccess()sets the origin-wide "prevent silent access flag" to true. That flag defaults to true, but the browser can set it to false if the user says to do so while signing in.
however, note that credman does not at this time explicitly specify a means to _unset_ the prevent silent access flag to false. It only says in Requiring User Mediation that a user agent _could_ provide means to do so, eg as part of a credential chooser.
The user has done something鈥攑robably tap the "sign out" button鈥攚hich indicates they want to be asked before the browser automatically uses their password to sign them in. Do they also want to be asked before the browser automatically uses their touchless authenticator to sign them in?
I tend to think "yes".
If we think they probably do, then we're in a good place, with at most editorial changes needed to explain this in the spec.
agreed. this seems congruent with @jcjones's suggestion (https://github.com/w3c/webauthn/issues/565#issuecomment-339416894) of saying something about this in the present spec level.
Seems to me we can do now for wd-07 or add this to the CR pile.
@jyasskin What is the status ?
I will create a PR based on @jcjones 's October 25th comment.
Most helpful comment
@jyasskin wrote:
however, note that credman does not at this time explicitly specify a means to _unset_ the
prevent silent access flagtofalse. It only says in Requiring User Mediation that a user agent _could_ provide means to do so, eg as part of a credential chooser.I tend to think "yes".
agreed. this seems congruent with @jcjones's suggestion (https://github.com/w3c/webauthn/issues/565#issuecomment-339416894) of saying something about this in the present spec level.
Seems to me we can do now for wd-07 or add this to the CR pile.