-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support NoCredentialsError and UserCancelledError codes #2062
Comments
@AdamEisfeld this is what the autofill UI is designed for. If the user has a passkey on the device, it will appear in the autofill UI and user testing has shown that most users click it. If the user doesn't have a passkey on the device, they type in the email or username, and then you can initiate a creation flow, using the value from the form. |
@timcappalli That works if we just want a single mechanism of authentication, but (for example) in the current project I am building we require multi-factor authentication on sign-in, meaning the user must enter their email / password first, and then they must provide some other mechanism of authentication (this is where we allow the user to either use an OTP or - preferably - the credentials system. In this case, the user isn't entering a password when it comes time to access the credentials. I could have certainly missed something but am I correct in my understanding that the Autofill UI doesn't help with this scenario? |
@AdamEisfeld passkeys are not intended to be used as secondary credentials / second factors. They are purpose built to replace traditional primary factors such as username/password and be the primary factor for user sign in (e.g. a single gesture, multifactor authenticator). |
I can understand the reasoning as the goal seems to be to eliminate traditional email / passwords. That being said, the system works perfectly well as a secondary credential in cases where added security is desired, barring this one poor user experience during the edge case of the user having registered their device previously and then removed it manually or attempting to sign in on a new device that isn't yet registered. I'm sure many would love it to be resolved, but thats life I suppose. |
While it doesn't directly address your question/request, @MasterKale is working on improving some of the errors/exceptions in a way that maintains user privacy. |
Please keep in mind the concern that WebAuthn should not leak information about whther or not the user has credentials to the RP without user consent. |
Good call out @sbweeden, this has been top of mind for me since I started pondering improved error messaging. Previous conversations over the years have made it clear that any changes to error messaging without a user interaction before it is verboten. @AdamEisfeld's proposed changes require user interaction, and the additional error messages I'm proposing below do as well. Earlier this week I met with some colleagues internally and brainstormed some new error messages that would be nice to have as an RP that wants more visibility into why users are having issues signing in, and to potentially offer inline remediation advice:
NoCredentialsError |
@sbweeden please take a look at my comment immediately above from a month ago, I'd definitely value your input here too. |
I completely missed that - and am in complete support of those finer-grained errors. We need to get support from the browser vendors, and if agreed, then they should go into the PR. |
@MasterKale Sorry to interrupt, but what's the plan about adding these errors? I'm a new developer and dealing with lots of |
@Zhirui-Zhang please direct developer/deployment/implementation questions to passkeys.dev/discuss or the FIDO-DEV list. |
@nsatragno helped me understand last week that, unfortunately,
|
I'm closing out this issue for a new one, #2096, to consolidate the discussion around the five new errors I want to try and add to WebAuthn. |
Related
An alternate solution to #1568 / the issues described in #1749.
To Sum Up
The current paradigm creates a bad UX, because we have no way of knowing if a user has connected their current device to web auth, and so we either need to show them UI for both Create and Get paths, relying on their memory of what they have done, or we need to conditionally only show them the Get path if we "think" the user has connected their current device (based on some information passed to us from our backend), potentially causing the user to attempt web auth and fail if their connection has been destroyed for some reason.
Currently there are 2 existing proposed solutions to this problem out there:
Proposed Solution A is to implement a "Get OR Create" mechanism that handles the details under the hood. This would solve the primary issue but introduces other concerns around state / the desire for frontends to provide a bit of a custom Create path (eg; entering a custom "device name" to associate with the key).
Proposed Solution B is to implement a "does key exist" function that returns a simple boolean depending on whether or not the current device is indeed found in the list of allowed credentials. This would solve the primary issue but introduces possible anonymity / privacy concerns.
I would like to offer a third proposal.
Proposed Change
Currently, if a user attempts to Get credentials for a device that does not have any, they see some form of automatic "Passkey does not exist" UI, requiring the user to click a Cancel button to back out of the procedure. The error thrown from clicking this Cancel button is a DOMException, with a name of "NotAllowedError". This is the same error that is thrown if a user DOES have credentials for their device but still opts to manually cancel out of the procedure.
Change 1
Throw "NoCredentialsError" if the user cancels out of a credentials.get() flow AND the reason for the cancellation is due to the device not having any credentials.
Change 2
Throw "UserCancelledError" if the user cancels out of a credentials.get() flow AND the reason for the cancellation is NOT due to the device not having any credentials.
Benefits
Risks
The text was updated successfully, but these errors were encountered: