Privacy concern with preferImmediatelyAvailableCredentials

As per the WebAuthN spec for Privacy, the authenticator shouldn't disclose the availability of keys on the device(although as a trusted RP knowing this info will be greatly help optimizing UI for end user) https://w3c.github.io/webauthn/#sctn-assertion-privacy

But seems like I can guess the availability of keys by doing an assertion request with this option https://developer.apple.com/documentation/authenticationservices/asauthorizationcontroller/requestoptions/3994648-preferimmediatelyavailablecreden

Although the error code is generic, based on timing information like if it returned immediately instead of opening the QR code fallback, I can guess the availability of a key.

Up vote post of arunThottaSuresh Down vote post of arunThottaSuresh
635 views
Posted by
arunThottaSuresh
Reply
Add a Comment

Accepted Reply

Excellent point! This is actually an area where all major browsers have already explicitly chosen to deviate from the spec in favor of usability, and our AuthenticationServices API follows suit. Per the spec, a browser should hold the error when a user cancels the sheet, and not actually deliver the error back to the site until the timeout expires. In practice, this creates a very poor user experience because the user could be sitting and staring at the site for 30 seconds or more after cancelling a WebAuthn operation before the site knows anything has happened. Within the WebAuthn Working Group, major browser vendors decided to either return errors immediately or with some small delay injected, in order to make the WebAuthn API more usable.

Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Post marked as solved
Add a Comment

Replies

Excellent point! This is actually an area where all major browsers have already explicitly chosen to deviate from the spec in favor of usability, and our AuthenticationServices API follows suit. Per the spec, a browser should hold the error when a user cancels the sheet, and not actually deliver the error back to the site until the timeout expires. In practice, this creates a very poor user experience because the user could be sitting and staring at the site for 30 seconds or more after cancelling a WebAuthn operation before the site knows anything has happened. Within the WebAuthn Working Group, major browser vendors decided to either return errors immediately or with some small delay injected, in order to make the WebAuthn API more usable.

Posted by
garrett-davidson
Up vote reply of garrett-davidson Down vote reply of garrett-davidson
Post marked as solved
Add a Comment

Thanks for clarification

Posted by
arunThottaSuresh
Up vote reply of arunThottaSuresh Down vote reply of arunThottaSuresh
Add a Comment