You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This can cause confusion, as a user might reasonably expect that no authenticator attachment preference was sent.
When testing hints on a browser that doesn't support them, a user might conclude that hints work on the browser when they do not, or that hints restrict the choice of authenticator (like on Chrome for Windows), when they do not.
It would be helpful if setting hints did not silently set an authenticator attachment.
The text was updated successfully, but these errors were encountered:
Hello @WillSmartYubico, thanks for the feedback. I implemented hints support as per the spec, but I'm hearing that webauthn.io would be more useful if I didn't follow the spec here. It's making me think that, because webauthn.io as an RP is unique, it'd be more useful to allow mixing hints and attachment because it'd allow for, to your point, omitting attachment and testing hints more directly. Am I understanding you correctly?
I think as a tool for helping people understand hints specifically, the ability to control it separately from attachment would be more helpful.
At a minimum I would say that the setting of attachment shouldn't be invisible to the user. I had to inspect the webauthn request to see why changing hints was having an effect on webauthn.io - but wasn't having an effect when setting it on another webauthn test site with the same client.
Having something visible (like setting the attachment dropdown when hints are changed, maybe?) that would let people test the spec compliant "authenticatorAttachment SHOULD be set to..." without preventing seeing how platforms react to hints alone would be very handy, spec compliant, and would help make it clear to the user what was going on.
As it stands with Windows right now - if you want to guide users to a specific authenticator but not restrict the authenticator choice, you cannot include authenticatorAttachment in the request 😞.
When setting registration hints under advanced options, webauthn.io will also silently set authenticator attachment.
https://github.com/duo-labs/webauthn.io/blob/3f2ea0e1072b655418f20c54dfd5b6a7cddd65da/_app/homepage/services/registration.py#L60C1-L61C1
This can cause confusion, as a user might reasonably expect that no authenticator attachment preference was sent.
When testing hints on a browser that doesn't support them, a user might conclude that hints work on the browser when they do not, or that hints restrict the choice of authenticator (like on Chrome for Windows), when they do not.
It would be helpful if setting hints did not silently set an authenticator attachment.
The text was updated successfully, but these errors were encountered: