zlacker

[return to "A Tour of WebAuthn"]
1. arianv+Lx[view] [source] 2024-12-27 00:09:37
>>caust1+(OP)
There are some hairy edge cases during registration that many get wrong. (At least GitHub and google had this bug) that if create() returns but the passkey never reaches the server due to bad networking conditions that your password manager thinks it can log in but the server never recorded the passkey for the user. Basically there is no transactionality and you can get in a split brain situation where your password manager and your server don't agree and it's very confusing for end users.

https://github.com/w3c/webauthn/issues/2038

They apparently came up with a fix for this using something called Signals API but I don't think any browser implemented that yet.

Just wanted to highlight that this part of the UX is hairy and hard to get right

◧◩
2. arnarb+vC[view] [source] 2024-12-27 01:16:34
>>arianv+Lx
Chrome on desktop did: https://developer.chrome.com/docs/identity/webauthn-signal-a...
◧◩◪
3. 1oooqo+kE1[view] [source] 2024-12-27 15:52:13
>>arnarb+vC
now just 27 absurdly insane implementation hacks to solve.

webauthn is the only spec born like a 60 yr old legacy technology with global adoption. everything about it is insane.

they didn't even think about having more than one key plugged in (mostly because the use case was just so that the device own your identity so they never thought the use would have control over the hardware), and the solution is to just blink all the keys and use the first one the use touches while hoping the other keys with timeout before the use actually have to use them. so much insanity.

[go to top]