webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

Provide a way for an RP to indicate backup preference during credential registration for providers who support both backed-up and non-backed up credential

Open akshayku opened this issue 9 months ago • 5 comments

Description

Passkey Providers/Authenticators now support backed-up and non-backup credentials. It varies from one provider to the other the choices they provide.

For an RP, currently they have no way to express their preference regarding backed credentials. For example, some enterprises and high security consumer RPs may want a non-backed up credential. Other RPs can prefer backed-up credential for their use cases regarding availability everywhere w.r.t current and future devices.

For the providers who support both backed-up and non-backed-up credential, RP's preference helps guide the user.

Hence, we need a way for an RP to indicate their backup preference in WebAuthn spec.

Note: Given the nature of different options provided by the providers/authenticators, their capabilities, user choices etc., RP must expect both backed-up and non-backed-up credentials in the registration responses.

akshayku avatar Feb 03 '25 11:02 akshayku

See also:

  • #1714
  • #1688

I worry that the option to disable backup/sync for some credentials would confuse users, ultimately getting them locked out because they weren't aware that some credentials were not backed up. A "soft" preference (i.e., hints) would be less a problem in that way than a hard filter, but I'm not sure it's really much of a mitigation as any user messaging about it could easily be glossed over or skipped through.

emlun avatar Feb 03 '25 11:02 emlun

This is not a explicit "hard" option.

This is a "soft" preference via hints as indicated in #2253 .

For the providers who are providing such a choice to the user, this is beneficial for the user to choose with more contexts. We have done mutiple user studies to design the experience with appropriate explanation to remove the confusion.

akshayku avatar Feb 03 '25 12:02 akshayku

This is beneficial for the providers and users, while RP may still need to handles backed-up and device-bound credential even it sets device-bound credential as preferred one. In some sense, if the RP has a choice to accept backed-up or device-bound credential with this hint, this will make user's friction depending on the RPs.

Kieun avatar Feb 05 '25 05:02 Kieun

Update (2/19): We are gathering more information from the enterprises and it is going to take some time. We will come back with more information or an updated proposal once we have more information. Please keep this issue/PRs open for L4 till we figure out the direction for Enterprises on unmanaged devices.

akshayku avatar Feb 19 '25 19:02 akshayku

From WG F2F: Possible solutions include...

WebAuthn

  • New .create() options extension, defined in WebAuthn or Microsoft-hosted
  • Something hints-based, but not using existing hints because of hints have sorting

Non-WebAuthn

  • User opts into a "work context"
  • User installs managed authenticator

MasterKale avatar Apr 11 '25 17:04 MasterKale