django-mfa3 icon indicating copy to clipboard operation
django-mfa3 copied to clipboard
verified publisher icon xi

Usability of error messages in FIDO2

Open xi opened this issue 5 months ago • 1 comments

The included JavaScript currently just does an alert with the raw exception on errors. This is far from ideal usability-wise.

There are some common cases where errors can occur:

  • Users cancel the webauthn flow (NotAllowedError)
  • The key is already registered (i.e. included in excludedCredentials) (InvalidStateError)

Unfortunately, none of these Exceptions seem to be specific to those situations. So we cannot just check for them to show a meaningful error message.

In the case of cancellation, no error is probably the best option.

In the case where the key is already registered, chrome displays a useful error message on its own. So showing another one is not helpful. Firefox, on the other hand, doesn't show anything, so a custom error message is needed.

Unexpected errors should also be displayed somehow.

xi avatar Jun 30 '25 15:06 xi

https://github.com/MasterKale/SimpleWebAuthn/blob/master/packages/browser/src/helpers/identifyRegistrationError.ts could be a helpful resource to interpret errors.

xi avatar Jun 30 '25 15:06 xi