Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Silently setting authenticator attachment with hints may cause confusion. #142

Open
WillSmartYubico opened this issue Aug 26, 2024 · 2 comments

Comments

@WillSmartYubico
Copy link

When setting registration hints under advanced options, webauthn.io will also silently set authenticator attachment.
https://github.com/duo-labs/webauthn.io/blob/3f2ea0e1072b655418f20c54dfd5b6a7cddd65da/_app/homepage/services/registration.py#L60C1-L61C1

This can cause confusion, as a user might reasonably expect that no authenticator attachment preference was sent.

When testing hints on a browser that doesn't support them, a user might conclude that hints work on the browser when they do not, or that hints restrict the choice of authenticator (like on Chrome for Windows), when they do not.

It would be helpful if setting hints did not silently set an authenticator attachment.

@MasterKale
Copy link
Collaborator

Hello @WillSmartYubico, thanks for the feedback. I implemented hints support as per the spec, but I'm hearing that webauthn.io would be more useful if I didn't follow the spec here. It's making me think that, because webauthn.io as an RP is unique, it'd be more useful to allow mixing hints and attachment because it'd allow for, to your point, omitting attachment and testing hints more directly. Am I understanding you correctly?

@WillSmartYubico
Copy link
Author

I think as a tool for helping people understand hints specifically, the ability to control it separately from attachment would be more helpful.

At a minimum I would say that the setting of attachment shouldn't be invisible to the user. I had to inspect the webauthn request to see why changing hints was having an effect on webauthn.io - but wasn't having an effect when setting it on another webauthn test site with the same client.

Having something visible (like setting the attachment dropdown when hints are changed, maybe?) that would let people test the spec compliant "authenticatorAttachment SHOULD be set to..." without preventing seeing how platforms react to hints alone would be very handy, spec compliant, and would help make it clear to the user what was going on.

As it stands with Windows right now - if you want to guide users to a specific authenticator but not restrict the authenticator choice, you cannot include authenticatorAttachment in the request 😞.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@MasterKale @WillSmartYubico and others