Intent to Prototype: WebAuthn Cross-Device Fallback URL Extension
9 views
Skip to first unread message
Chromestatus
12:26 PM (9 hours ago) 12:26 PM
to blin...@chromium.org, chrome-...@google.com, mart...@google.com
Contact emails
mart...@google.com, nsat...@google.com, ke...@google.comExplainer
https://github.com/w3c/webauthn/blob/main/explainers/cross-device-fallback-url.mdSpecification
https://github.com/w3c/webauthn/pull/2380
Summary
The crossDeviceFallbackUrl extension for WebAuthn assertion requests, allows users who attempt to sign in WebAuthn cross-device authentication (the CTAP "hybrid" transport, i.e. scanning a browser-rendered QR code with a phone) to authenticate via alternative mechanisms if they don't have passkeys available. This is meant to reduce friction for users while trying to sign in with a passkey from another device.
In the crossDeviceFallbackUrl, Relying Parties can provide a “fallback” URL to a sign in page. The authenticator device (usually a phone) will open this URL if it does not have a passkey available for the given RP. The RP can then authenticate the user on the phone via other (unspecified) mechanisms.
Blink component
Blink>WebAuthenticationWeb Feature ID
Missing feature
Motivation
The most common failure observed in WebAuthn cross-device ("hybrid") authentication requests is that the remote authenticator device (authenticator), does not have an available passkey.
This is a common UX complaint, since users already have gone through significant friction to get to that point (i.e., got out their phone and scanned the QR code). There usually is no clear recovery path for this user journey; the user is expected to dismiss the error on the phone, cancel the WebAuthn request on their desktop, and then continue to authenticate in some other way.
The crossDeviceFallbackUrl extension enables Relying Party websites to handle the fallback authentication directly on the remote authenticator device, reducing user friction in a common failure path.
Initial public proposal
https://github.com/w3c/webauthn/pull/2380Goals for experimentation
NoneRequires code in //chrome?
FalseTracking bug
https://crbug.com/509934168Estimated milestones
No milestones specified
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/6376947442647040?gate=6457133676756992
This intent message was generated by
Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages