Transport value for non-platform vendor products

[Rew Islam]

We're working on a software passkey authenticator.

We'd like to know what the group thinks we should report as a transport.

Initially we thought 'internal', but perhaps 'hybrid' is more appropriate? Neither accurately represent the use case, hence the question.

Curious to hear what the group thinks.

hybrid

Indicates the respective authenticator can be contacted using a combination of (often separate) data-transport and proximity mechanisms. This supports, for example, authentication on a desktop computer using a smartphone.

internal

Indicates the respective authenticator is contacted using a client device-specific transport, i.e., it is a platform authenticator. These authenticators are not removable from the client device.

[Tim Cappalli]

In cases where you are integrated in a non-native manner (e.g. a browser extension), I personally would prefer transports to be empty (like it is in your beta).

Tim

---

From: 'Rew Islam' via FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Sent: Tuesday, January 31, 2023 1:16:07 PM
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Transport value for non-platform vendor products

 

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/5171150e-8c64-4987-b4a5-5e79257f553dn%40fidoalliance.org.

[John Bradley]

Transport hints were originally intended to be used as part of an allow list. So that the user agent can optimize the authenticator selection dialogues.  

As an example, if none of the credentials have an NFC transport, the platform may not offer that option, 

I don’t know how much they are really used for that currently by platforms.  

For you perhaps platform might make the most sense, though it really won’t help anything around the intended use.

The question may be are RP looking at those hints in any way and making UX decisions outside the protocol.

They shouldn’t be in my opinion, however if anything that might drive your decision around what transports to list.

John B.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/BYAPR00MB0471DF43FF2A50AC110AD0D795D09%40BYAPR00MB0471.namprd00.prod.outlook.com.

[Christiaan Brand]

Depends on how the user would "attach" the authenticator. If there's way to get at it using CTAP:USB, then you should say "usb". If it's always assumed to just "be there" (which I think is what you're doing), then you should say "internal". If it's accessible over hybrid, you'd say "hybrid". You can also do a mixture of both. Google Password Manager does {internal,hybrid}.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/B8531428-97EF-451B-A274-E5E4844124D6%40ve7jtb.com.

[Christiaan Brand]

sgtm.

On Wed, Feb 8, 2023 at 12:00 PM Rew Islam <rew....@dashlane.com> wrote:

Ok, I had misunderstood the meaning of transports, my assumption was it reported the transport under which the credential was created.

What I understand now is that the various manners in which that specific credential can be accessed. In our products case, a credential could be accessed via internal and hybrid - the fact that it can be accessed by "other means" via a browser extension is just an implementation detail of our product and should not impact anything around platforms nor RPs (they should not care). Our product would only serve credentials it knows about, and refer to the OS/browser for all other cases.

We will report "internal, hybrid".

[Christiaan Brand]

I’m seeing all of your messages, fwiw.

On Wed, Feb 8, 2023 at 15:35 Rew Islam <rew....@dashlane.com> wrote:

Not sure why my messages keep getting deleted, if someone is deleting them for some reason, please let me know the reason. - rew.islam at dashlane.com